Windows Analysis Report
Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

AI detected suspicious sample

Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2257711507.0000000001357000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2339042347.0000000001627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2041417968.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2175641992.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5804, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Adobe\Adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

3_2_00433837

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_cb14c3ba-b

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7492, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_004074FD _wcslen,CoGetObject,

3_2_004074FD

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409253
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C291
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C34D
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409665
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0044E879 FindFirstFileExA,	3_2_0044E879
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_0040880C
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040783C FindFirstFileW,FindNextFileW,	3_2_0040783C
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419AF5
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB30
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,	6_2_0040AE51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00407C97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 104.250.180.178:7902
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49709 -> 104.250.180.178:7902

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 104.250.180.178:7902

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_0041B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe, Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000006.00000002.2145507801.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000006.00000002.2145507801.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: Adobe.exe, 00000005.00000002.4500045437.0000000001482000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500045437.0000000001473000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp, bhvAA55.tmp.6.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: Adobe.exe, 00000005.00000002.4500045437.0000000001482000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%Ea
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Adobe.exe, 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpf
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: Adobe.exe, Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Adobe.exe, Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhvAA55.tmp.6.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
Source: Adobe.exe, 00000006.00000002.2145822794.0000000000DF4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, Adobe.exe.3.dr	String found in binary or memory: https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Adobe.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: Adobe.exe, Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Adobe.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvAA55.tmp.6.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

3_2_0040A2B8

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

3_2_0040B70E

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	3_2_004168C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_0040987A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_004098E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	10_2_00406DFC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	10_2_00406E9F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_004068B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_004072B5

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

3_2_0040B70E

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_0040A3E0

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2257711507.0000000001357000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2339042347.0000000001627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2041417968.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2175641992.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5804, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0041C9E2 SystemParametersInfoW,

3_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7492, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\ProgramData\Adobe\Adobe.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	6_2_0040DD85
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00401806 NtdllDefWindowProc_W,	6_2_00401806
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004018C0 NtdllDefWindowProc_W,	6_2_004018C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_004016FD NtdllDefWindowProc_A,	10_2_004016FD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_004017B7 NtdllDefWindowProc_A,	10_2_004017B7
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00402CAC NtdllDefWindowProc_A,	11_2_00402CAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00402D66 NtdllDefWindowProc_A,	11_2_00402D66

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

3_2_004167B4

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_02E043E8	0_2_02E043E8
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_02E0E094	0_2_02E0E094
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_02E07051	0_2_02E07051
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_0591F788	0_2_0591F788
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_059141C4	0_2_059141C4
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_05916D33	0_2_05916D33
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_0591F778	0_2_0591F778
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_0591C830	0_2_0591C830
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_05910040	0_2_05910040
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_0591C840	0_2_0591C840
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_0591CAD8	0_2_0591CAD8
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_0591CAC7	0_2_0591CAC7
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_07727270	0_2_07727270
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_077291F0	0_2_077291F0
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_0772DF70	0_2_0772DF70
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_07726E38	0_2_07726E38
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_07726E28	0_2_07726E28
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_07726A00	0_2_07726A00
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_07728918	0_2_07728918
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 0_2_07728908	0_2_07728908
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0043E0CC	3_2_0043E0CC
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0041F0FA	3_2_0041F0FA
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00454159	3_2_00454159
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00438168	3_2_00438168
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_004461F0	3_2_004461F0
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0043E2FB	3_2_0043E2FB
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0045332B	3_2_0045332B
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0042739D	3_2_0042739D
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_004374E6	3_2_004374E6
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0043E558	3_2_0043E558
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00438770	3_2_00438770
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_004378FE	3_2_004378FE
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00433946	3_2_00433946
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0044D9C9	3_2_0044D9C9
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00427A46	3_2_00427A46
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0041DB62	3_2_0041DB62
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00427BAF	3_2_00427BAF
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00437D33	3_2_00437D33
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00435E5E	3_2_00435E5E
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00426E0E	3_2_00426E0E
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0043DE9D	3_2_0043DE9D
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00413FCA	3_2_00413FCA
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00436FEA	3_2_00436FEA
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_00CB43E8	4_2_00CB43E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_00CBE094	4_2_00CBE094
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_00CB7051	4_2_00CB7051
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10017194	5_2_10017194
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_1000B5C1	5_2_1000B5C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B040	6_2_0044B040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043610D	6_2_0043610D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00447310	6_2_00447310
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044A490	6_2_0044A490
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040755A	6_2_0040755A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043C560	6_2_0043C560
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B610	6_2_0044B610
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044D6C0	6_2_0044D6C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004476F0	6_2_004476F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B870	6_2_0044B870
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044081D	6_2_0044081D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00414957	6_2_00414957
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004079EE	6_2_004079EE
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00407AEB	6_2_00407AEB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044AA80	6_2_0044AA80
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00412AA9	6_2_00412AA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404B74	6_2_00404B74
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404B03	6_2_00404B03
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044BBD8	6_2_0044BBD8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404BE5	6_2_00404BE5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404C76	6_2_00404C76
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00415CFE	6_2_00415CFE
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00416D72	6_2_00416D72
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00446D30	6_2_00446D30
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00446D8B	6_2_00446D8B
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00406E8F	6_2_00406E8F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00405038	10_2_00405038
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0041208C	10_2_0041208C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_004050A9	10_2_004050A9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0040511A	10_2_0040511A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0043C13A	10_2_0043C13A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_004051AB	10_2_004051AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00449300	10_2_00449300
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0040D322	10_2_0040D322
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0044A4F0	10_2_0044A4F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0043A5AB	10_2_0043A5AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00413631	10_2_00413631
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00446690	10_2_00446690
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0044A730	10_2_0044A730
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_004398D8	10_2_004398D8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_004498E0	10_2_004498E0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0044A886	10_2_0044A886
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0043DA09	10_2_0043DA09
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00438D5E	10_2_00438D5E
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00449ED0	10_2_00449ED0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0041FE83	10_2_0041FE83
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00430F54	10_2_00430F54
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_004050C2	11_2_004050C2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_004014AB	11_2_004014AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00405133	11_2_00405133
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_004051A4	11_2_004051A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00401246	11_2_00401246
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_0040CA46	11_2_0040CA46
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00405235	11_2_00405235
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_004032C8	11_2_004032C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00401689	11_2_00401689
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00402F60	11_2_00402F60
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_02A243E8	12_2_02A243E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_02A2E094	12_2_02A2E094
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_02A27051	12_2_02A27051
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_056C91F0	12_2_056C91F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_056C7260	12_2_056C7260
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_056C7270	12_2_056C7270
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_056CDF70	12_2_056CDF70
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_056C6E38	12_2_056C6E38
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_056C8908	12_2_056C8908
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_056C8918	12_2_056C8918
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_056C6A00	12_2_056C6A00
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_027743E8	15_2_027743E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_0277E094	15_2_0277E094
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_02777051	15_2_02777051
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_07297270	15_2_07297270
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_072991F0	15_2_072991F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_0729E0B0	15_2_0729E0B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_07296E28	15_2_07296E28
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_07296E38	15_2_07296E38
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_07296A00	15_2_07296A00
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_07298908	15_2_07298908
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_07298918	15_2_07298918
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074CF788	15_2_074CF788
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074C41C4	15_2_074C41C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074CF778	15_2_074CF778
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074CCAC7	15_2_074CCAC7
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074CCAD8	15_2_074CCAD8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074C41BD	15_2_074C41BD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074C0040	15_2_074C0040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074CC840	15_2_074CC840
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 15_2_074CC830	15_2_074CC830
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BF43E8	18_2_00BF43E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BFE094	18_2_00BFE094
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BF705E	18_2_00BF705E

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004165FF appears 35 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00422297 appears 42 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00413025 appears 79 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00416760 appears 69 times

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2053174536.00000000058A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2038479111.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2042873217.0000000003087000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2053643055.0000000007350000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.2041417968.0000000001531000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelH vs Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Binary or memory string: OriginalFilenamelHJn.exeF vs Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7492, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Adobe.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, DIqwQSSEKDxovHMnnd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, DIqwQSSEKDxovHMnnd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@30/7@1/2

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

6_2_004182CE

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		3_2_00417952
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		11_2_00410DE1

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

6_2_00418758

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

3_2_0040F474

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

3_2_0041B4A8

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0041AA4A

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.log

Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe-OTOIRK
Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: NULL

Source: C:\ProgramData\Adobe\Adobe.exe

File created: C:\Users\user\AppData\Local\Temp\bhvAA55.tmp

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\ProgramData\Adobe\Adobe.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Adobe.exe, Adobe.exe, 00000006.00000002.2145507801.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Adobe.exe, Adobe.exe, 0000000A.00000002.2139274482.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Adobe.exe, 00000006.00000002.2145507801.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2145507801.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2145507801.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2145507801.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Adobe.exe, 00000006.00000002.2146558301.0000000003340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2145507801.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

File read: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Source: C:\ProgramData\Adobe\Adobe.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe "C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process created: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe "C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\sjwnfpnrxvemnctydvpmlfmrafenxb"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ffhrgs"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process created: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe "C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\sjwnfpnrxvemnctydvpmlfmrafenxb"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ffhrgs"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iconcodecservice.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iconcodecservice.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\ProgramData\Adobe\Adobe.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

.NET source code contains method to dynamically call methods (often used by packers)

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static file information: File size 1129984 > 1048576

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10e000

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	.Net Code: FDWI0pEnoS System.Reflection.Assembly.Load(byte[])
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	.Net Code: FDWI0pEnoS System.Reflection.Assembly.Load(byte[])
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

3_2_0041CB50

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00457106 push ecx; ret	3_2_00457119
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0045B11A push esp; ret	3_2_0045B141
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0045E54D push esi; ret	3_2_0045E556
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00457A28 push eax; ret	3_2_00457A46
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00434E56 push ecx; ret	3_2_00434E69
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002806 push ecx; ret	5_2_10002819
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044693D push ecx; ret	6_2_0044694D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044DB70 push eax; ret	6_2_0044DB84
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044DB70 push eax; ret	6_2_0044DBAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00451D54 push eax; ret	6_2_00451D61
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0CC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00451D34 push eax; ret	10_2_00451D41
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00444E71 push ecx; ret	10_2_00444E81
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00414060 push eax; ret	11_2_00414074
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00414060 push eax; ret	11_2_0041409C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00414039 push ecx; ret	11_2_00414049
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_004164EB push 0000006Ah; retf	11_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00416553 push 0000006Ah; retf	11_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00416555 push 0000006Ah; retf	11_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BFA548 pushfd ; ret	18_2_00BFA652
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BF4659 push ebx; ret	18_2_00BF465A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BF477C push esp; ret	18_2_00BF477E
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BF4779 push esp; ret	18_2_00BF477A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BF4838 push edi; ret	18_2_00BF483A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 18_2_00BF4841 push edi; ret	18_2_00BF4842

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Static PE information: section name: .text entropy: 7.888509874015793
Source: Adobe.exe.3.dr	Static PE information: section name: .text entropy: 7.888509874015793

Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, DsgRYtpJ7jgWXpDVHB.cs	High entropy of concatenated method names: 'Dispose', 'xSYjwHf4QP', 'DBU7D7iJh0', 'bG86xopy7y', 'e9Ojov5fLC', 'oGNjz9Qbj3', 'ProcessDialogKey', 'aNk7qpZkUt', 'Yx57jbQTN6', 'G9f77RsLjK'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, tfEecnml785wHwJIHJ.cs	High entropy of concatenated method names: 'XHo42Qivp7', 'vdS4p7Z9ad', 'Ga84B609Ii', 'H764KbnJ1w', 'Jjb4Akks2I', 'NUHBJ60lp2', 'BvjBPjfM6c', 'sfqBrwwwrb', 'kPnBNTUYwC', 'MpFBwe9RRv'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, YUvroyzbVyKhJ9NC7G.cs	High entropy of concatenated method names: 'OhseWLjJmC', 'TJUeSifGKT', 'ggRebnH8Z6', 'gZIemusvZ7', 'yaMeDv9e5B', 'Mt7etWOq5G', 'uCIeMik5Gh', 'wkOeTdh0gD', 'oJfeZOpi0o', 'gjOevnDIiZ'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, XqroXsb0HtKVWwktli.cs	High entropy of concatenated method names: 'bYT8GKGDkI', 'Wdg8WgOsEd', 'mdF8SGetmm', 'Ei88b3E3CQ', 'ArM8UXs9kA', 'kEK8692WDd', 'QEg8lI1wqY', 'w818XqiiOI', 'Qc18n17aKG', 'M728ecFQH4'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, vAeenPVQadtXavDfJY.cs	High entropy of concatenated method names: 'R5bUfVenqH', 'nIYUxrfCeS', 'IUtUVOr4Yk', 'KiuUsPE2nt', 'qPkUD1BA9K', 'xN8UgAuY7u', 'T6tUtcK3ZR', 'UDFUMo0LqX', 'JuKU1Y8Sqs', 'QIZUREiNp3'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, S34ELRjqhjYwO2cZjau.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OnZeEJkaDs', 'EZcexpjKJx', 'bg8eQjeZij', 'mixeVG1uHB', 'a8Nestvjck', 'pmxeavh461', 'HQjeyxaDt1'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, B5O0EuQUashbiCeofa.cs	High entropy of concatenated method names: 'eQFLSGOjXR', 'GSGLbMv4Bm', 'UuuLmdrbXL', 'NokLD8P6ql', 'K2CLtPq7VN', 'QbsLMjuybo', 'WlfLR1bfTI', 'V3PL5rmXd7', 's4TLfCVb0S', 'dqlLEUFX6x'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, npZkUtwox5bQTN6m9f.cs	High entropy of concatenated method names: 'u8XnmW7Tt8', 'fV3nDetjdq', 'dVsngfME95', 'CvlntRPgrI', 'vgDnMePwv0', 'r8Yn10Mfs2', 'lePnRIp9j0', 'NEsn5jX9uE', 'LKonHjILRH', 'n9anfDYpEU'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, DIqwQSSEKDxovHMnnd.cs	High entropy of concatenated method names: 'n9YpVB4Nij', 'MOypsV48tk', 'Ba2paAm1Xx', 'dmWpym1mfl', 'EkTpJsOIgw', 'RDHpPIwUO7', 'VyQprG6ScG', 'HqQpN7XZCF', 'eKUpwqEecq', 'odHpoiZkKJ'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, B4E3KKrikZSYHf4QP2.cs	High entropy of concatenated method names: 'NCZnUNtTJn', 'KM5nlyD6QH', 'OInnngkGqK', 'c2enuFqqLO', 'T8fnc4tdJR', 'x67nTSZYbU', 'Dispose', 'eOLX9N5A2r', 'iLyXpp6vLo', 'DsMX8g1XYh'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, r6qhZTjjHGZUW117FxN.cs	High entropy of concatenated method names: 'iV0eopsqVu', 'Ywuezsc079', 'Kv7uq64wCd', 'Ln3ujalI2V', 'PtCu7WDWsD', 'QdauFwUNEO', 'mihuIdixF7', 'WDju2cnlmE', 'x7Gu9Imi7R', 'XYxupmVsTX'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, Qy48fnP1SYT2woEVtE.cs	High entropy of concatenated method names: 'OUXlNFvpCB', 'C3dloTYfD0', 'wJkXqU7ElB', 'DgMXjV0733', 'chclEjVphN', 'BYVlxvxopx', 'vOolQpKGNZ', 'Uc4lVCS700', 'MWtlsWkITP', 'DyclaiVfyY'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, mHbW0AIAKqkj6eq51o.cs	High entropy of concatenated method names: 'moSjKIqwQS', 'OKDjAxovHM', 'S0HjCtKVWw', 'mtljkicbKm', 'zpxjUrnufE', 'scnj6l785w', 'VF2w1OM0KPwI3Npy1k', 'OlxVdNgGVyqTcLBiIP', 'jv7AvAFgNFjoQmAyur', 'Lj8jjss9dr'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, sXCmwo7FUFTMMAucwi.cs	High entropy of concatenated method names: 'pKQ0h5EpA', 'WxsGZ1eAQ', 'r1bWgedis', 'dYbdU8MJl', 'q5SbJBHTt', 'mpyhbgnM4', 'Av3xGsJEoJ3Rlc29E5', 'o7SB6bnIHWGLpJRBXQ', 'YWVXvWUx9', 'ShTej5GkX'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, P2op7naIXLWiwb2dfs.cs	High entropy of concatenated method names: 'ToString', 'Q8L6ECh02e', 'DCP6D0PV6S', 'FKg6g6Rf2A', 'K876tdcVv9', 'L0f6MVDvjl', 'DmI61h0dkW', 'gMR6R2kwGs', 'NK465wM5QI', 'p3M6Hijsmf'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, nJdwq78l2LvXAmgiU4.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PTj7wCicbQ', 'Y9F7o5mXyQ', 'Hnh7zTXeks', 'SkCFqN2gFd', 'Uj1FjIS8CO', 'o7sF7Amk2C', 'mtcFFgZTZR', 'bLYIR4X4emxfIJWM8eA'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	High entropy of concatenated method names: 'J8TF2Stfrd', 'McYF92pm5f', 'k1MFpoNH23', 'eGKF8I8eHG', 'CdZFBHSjMO', 'fFlF4McZin', 'TABFKF7tcJ', 'HOsFAejJfJ', 'UqkFOZSClG', 'RwAFCqIRyx'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, ioJ88bRZCkDBoOICcf.cs	High entropy of concatenated method names: 'wAMK9YN821', 'IjqK8KFHIA', 'yvFK431oIn', 'E9P4oxfLB3', 'gQp4zvY4bs', 'CGeKqATJGr', 'IxIKjwouEN', 'VAFK7JltTB', 'va3KF65i0R', 'qw3KIiPgHj'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, UpKycuyFGKlTPK1Hfj.cs	High entropy of concatenated method names: 'NkclCueNga', 'qTllkT2UHD', 'ToString', 'h6Tl9sgc6p', 'nGwlpIIl6V', 'SiEl8Jgpmx', 'CR7lBZrmpi', 'EDll4Xn2Lx', 'OpClKScesl', 'gyTlAKJgbp'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, vbKmbdhHMyThL0pxrn.cs	High entropy of concatenated method names: 'eL5BYB7FOY', 'xqLBdcmYIF', 'AEH8gClUrS', 'cty8tbyqJQ', 'xoW8MCUIJs', 'Pxp81XbQPi', 'T978RrDYFH', 'Hp785o0VT6', 'R6x8HuDfj3', 'tNB8fM1l0X'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, KsLjKmoKaFiko76OHT.cs	High entropy of concatenated method names: 'JnNe8lCIha', 'HPpeBZDRpF', 'sn5e4WCqyp', 'PqceKYq7n0', 'cbOenXvS4W', 'HlneAdG2La', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7350000.5.raw.unpack, HmKTHXHIjeE7xnx0PR.cs	High entropy of concatenated method names: 'SbsKZLjm9g', 'fyAKvPK9DC', 'lxDK0uG73c', 'QaFKGojjZF', 'Ve0KYwB0Ze', 'AwPKWumrRL', 'BGWKd0Thpp', 'MTZKSF5P7u', 'SjkKbIRCMw', 'gS5KhRBGTA'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, DsgRYtpJ7jgWXpDVHB.cs	High entropy of concatenated method names: 'Dispose', 'xSYjwHf4QP', 'DBU7D7iJh0', 'bG86xopy7y', 'e9Ojov5fLC', 'oGNjz9Qbj3', 'ProcessDialogKey', 'aNk7qpZkUt', 'Yx57jbQTN6', 'G9f77RsLjK'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, tfEecnml785wHwJIHJ.cs	High entropy of concatenated method names: 'XHo42Qivp7', 'vdS4p7Z9ad', 'Ga84B609Ii', 'H764KbnJ1w', 'Jjb4Akks2I', 'NUHBJ60lp2', 'BvjBPjfM6c', 'sfqBrwwwrb', 'kPnBNTUYwC', 'MpFBwe9RRv'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, YUvroyzbVyKhJ9NC7G.cs	High entropy of concatenated method names: 'OhseWLjJmC', 'TJUeSifGKT', 'ggRebnH8Z6', 'gZIemusvZ7', 'yaMeDv9e5B', 'Mt7etWOq5G', 'uCIeMik5Gh', 'wkOeTdh0gD', 'oJfeZOpi0o', 'gjOevnDIiZ'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, XqroXsb0HtKVWwktli.cs	High entropy of concatenated method names: 'bYT8GKGDkI', 'Wdg8WgOsEd', 'mdF8SGetmm', 'Ei88b3E3CQ', 'ArM8UXs9kA', 'kEK8692WDd', 'QEg8lI1wqY', 'w818XqiiOI', 'Qc18n17aKG', 'M728ecFQH4'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, vAeenPVQadtXavDfJY.cs	High entropy of concatenated method names: 'R5bUfVenqH', 'nIYUxrfCeS', 'IUtUVOr4Yk', 'KiuUsPE2nt', 'qPkUD1BA9K', 'xN8UgAuY7u', 'T6tUtcK3ZR', 'UDFUMo0LqX', 'JuKU1Y8Sqs', 'QIZUREiNp3'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, S34ELRjqhjYwO2cZjau.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OnZeEJkaDs', 'EZcexpjKJx', 'bg8eQjeZij', 'mixeVG1uHB', 'a8Nestvjck', 'pmxeavh461', 'HQjeyxaDt1'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, B5O0EuQUashbiCeofa.cs	High entropy of concatenated method names: 'eQFLSGOjXR', 'GSGLbMv4Bm', 'UuuLmdrbXL', 'NokLD8P6ql', 'K2CLtPq7VN', 'QbsLMjuybo', 'WlfLR1bfTI', 'V3PL5rmXd7', 's4TLfCVb0S', 'dqlLEUFX6x'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, npZkUtwox5bQTN6m9f.cs	High entropy of concatenated method names: 'u8XnmW7Tt8', 'fV3nDetjdq', 'dVsngfME95', 'CvlntRPgrI', 'vgDnMePwv0', 'r8Yn10Mfs2', 'lePnRIp9j0', 'NEsn5jX9uE', 'LKonHjILRH', 'n9anfDYpEU'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, DIqwQSSEKDxovHMnnd.cs	High entropy of concatenated method names: 'n9YpVB4Nij', 'MOypsV48tk', 'Ba2paAm1Xx', 'dmWpym1mfl', 'EkTpJsOIgw', 'RDHpPIwUO7', 'VyQprG6ScG', 'HqQpN7XZCF', 'eKUpwqEecq', 'odHpoiZkKJ'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, B4E3KKrikZSYHf4QP2.cs	High entropy of concatenated method names: 'NCZnUNtTJn', 'KM5nlyD6QH', 'OInnngkGqK', 'c2enuFqqLO', 'T8fnc4tdJR', 'x67nTSZYbU', 'Dispose', 'eOLX9N5A2r', 'iLyXpp6vLo', 'DsMX8g1XYh'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, r6qhZTjjHGZUW117FxN.cs	High entropy of concatenated method names: 'iV0eopsqVu', 'Ywuezsc079', 'Kv7uq64wCd', 'Ln3ujalI2V', 'PtCu7WDWsD', 'QdauFwUNEO', 'mihuIdixF7', 'WDju2cnlmE', 'x7Gu9Imi7R', 'XYxupmVsTX'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, Qy48fnP1SYT2woEVtE.cs	High entropy of concatenated method names: 'OUXlNFvpCB', 'C3dloTYfD0', 'wJkXqU7ElB', 'DgMXjV0733', 'chclEjVphN', 'BYVlxvxopx', 'vOolQpKGNZ', 'Uc4lVCS700', 'MWtlsWkITP', 'DyclaiVfyY'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, mHbW0AIAKqkj6eq51o.cs	High entropy of concatenated method names: 'moSjKIqwQS', 'OKDjAxovHM', 'S0HjCtKVWw', 'mtljkicbKm', 'zpxjUrnufE', 'scnj6l785w', 'VF2w1OM0KPwI3Npy1k', 'OlxVdNgGVyqTcLBiIP', 'jv7AvAFgNFjoQmAyur', 'Lj8jjss9dr'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, sXCmwo7FUFTMMAucwi.cs	High entropy of concatenated method names: 'pKQ0h5EpA', 'WxsGZ1eAQ', 'r1bWgedis', 'dYbdU8MJl', 'q5SbJBHTt', 'mpyhbgnM4', 'Av3xGsJEoJ3Rlc29E5', 'o7SB6bnIHWGLpJRBXQ', 'YWVXvWUx9', 'ShTej5GkX'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, P2op7naIXLWiwb2dfs.cs	High entropy of concatenated method names: 'ToString', 'Q8L6ECh02e', 'DCP6D0PV6S', 'FKg6g6Rf2A', 'K876tdcVv9', 'L0f6MVDvjl', 'DmI61h0dkW', 'gMR6R2kwGs', 'NK465wM5QI', 'p3M6Hijsmf'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, nJdwq78l2LvXAmgiU4.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PTj7wCicbQ', 'Y9F7o5mXyQ', 'Hnh7zTXeks', 'SkCFqN2gFd', 'Uj1FjIS8CO', 'o7sF7Amk2C', 'mtcFFgZTZR', 'bLYIR4X4emxfIJWM8eA'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, Fh1UuuAujXdFMfO7oU.cs	High entropy of concatenated method names: 'J8TF2Stfrd', 'McYF92pm5f', 'k1MFpoNH23', 'eGKF8I8eHG', 'CdZFBHSjMO', 'fFlF4McZin', 'TABFKF7tcJ', 'HOsFAejJfJ', 'UqkFOZSClG', 'RwAFCqIRyx'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, ioJ88bRZCkDBoOICcf.cs	High entropy of concatenated method names: 'wAMK9YN821', 'IjqK8KFHIA', 'yvFK431oIn', 'E9P4oxfLB3', 'gQp4zvY4bs', 'CGeKqATJGr', 'IxIKjwouEN', 'VAFK7JltTB', 'va3KF65i0R', 'qw3KIiPgHj'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, UpKycuyFGKlTPK1Hfj.cs	High entropy of concatenated method names: 'NkclCueNga', 'qTllkT2UHD', 'ToString', 'h6Tl9sgc6p', 'nGwlpIIl6V', 'SiEl8Jgpmx', 'CR7lBZrmpi', 'EDll4Xn2Lx', 'OpClKScesl', 'gyTlAKJgbp'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, vbKmbdhHMyThL0pxrn.cs	High entropy of concatenated method names: 'eL5BYB7FOY', 'xqLBdcmYIF', 'AEH8gClUrS', 'cty8tbyqJQ', 'xoW8MCUIJs', 'Pxp81XbQPi', 'T978RrDYFH', 'Hp785o0VT6', 'R6x8HuDfj3', 'tNB8fM1l0X'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, KsLjKmoKaFiko76OHT.cs	High entropy of concatenated method names: 'JnNe8lCIha', 'HPpeBZDRpF', 'sn5e4WCqyp', 'PqceKYq7n0', 'cbOenXvS4W', 'HlneAdG2La', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.41f7920.3.raw.unpack, HmKTHXHIjeE7xnx0PR.cs	High entropy of concatenated method names: 'SbsKZLjm9g', 'fyAKvPK9DC', 'lxDK0uG73c', 'QaFKGojjZF', 'Ve0KYwB0Ze', 'AwPKWumrRL', 'BGWKd0Thpp', 'MTZKSF5P7u', 'SjkKbIRCMw', 'gS5KhRBGTA'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

File written: C:\ProgramData\Adobe\Adobe.exe

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

3_2_00406EB0

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	File created: \draft - hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	File created: \draft - hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	File created: \draft - hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	File created: \draft - hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe	Jump to behavior

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK

Delayed program exit found

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0041AA4A

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

3_2_0041CB50

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5592, type: MEMORYSTR

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0040F7A7 Sleep,ExitProcess,

3_2_0040F7A7

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Memory allocated: 9410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Memory allocated: A410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Memory allocated: A620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Memory allocated: B620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 4620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 6DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: AAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: AF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: E60000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 47A0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 88B0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 98B0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9AB0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: AAB0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: BB0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 25B0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 45B0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8780000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 6BC0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9780000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A780000 memory reserve \| memory write watch

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

6_2_0040DD85

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

3_2_0041A748

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 452			Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 9536			Jump to behavior

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Evaded block: after key decision			graph_3-47650
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Evaded block: after key decision			graph_3-47673

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	API coverage: 6.3 %
Source: C:\ProgramData\Adobe\Adobe.exe	API coverage: 9.7 %

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7660	Thread sleep count: 452 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7660	Thread sleep time: -1356000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7660	Thread sleep count: 9536 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7660	Thread sleep time: -28608000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 1396	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409253
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C291
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C34D
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409665
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0044E879 FindFirstFileExA,	3_2_0044E879
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_0040880C
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040783C FindFirstFileW,FindNextFileW,	3_2_0040783C
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419AF5
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB30
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,	6_2_0040AE51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00407C97

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_00418981 memset,GetSystemInfo,

6_2_00418981

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477

Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.2041417968.0000000001531000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\U
Source: Adobe.exe, 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.2041417968.0000000001531000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
Source: Adobe.exe, 00000005.00000002.4500045437.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.2041417968.0000000001531000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BBml
Source: bhvAA55.tmp.6.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\ProgramData\Adobe\Adobe.exe

API call chain: ExitProcess graph end node

Source: C:\ProgramData\Adobe\Adobe.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_004349F9

Source: C:\ProgramData\Adobe\Adobe.exe

6_2_0040DD85

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

3_2_0041CB50

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h]		3_2_004432B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10004AB4 mov eax, dword ptr fs:[00000030h]		5_2_10004AB4

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_00412077 GetProcessHeap,HeapFree,

3_2_00412077

Source: C:\ProgramData\Adobe\Adobe.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004349F9
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00434B47 SetUnhandledExceptionFilter,	3_2_00434B47
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043BB22
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00434FDC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_100060E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_10002639
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_10002B1C

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Memory written: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_004120F7

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_00419627 mouse_event,

3_2_00419627

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process created: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe "C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\sjwnfpnrxvemnctydvpmlfmrafenxb"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ffhrgs"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: Adobe.exe, 00000005.00000002.4500045437.0000000001492000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Adobe.exe, 00000005.00000002.4500045437.0000000001492000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerKl0
Source: Adobe.exe, 00000005.00000002.4500045437.0000000001492000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageril^
Source: Adobe.exe, 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Adobe.exe, 00000005.00000002.4500045437.0000000001492000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerclh

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_00434C52 cpuid

3_2_00434C52

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: EnumSystemLocalesW,	3_2_00452036
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_004520C3
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: GetLocaleInfoW,	3_2_00452313
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: EnumSystemLocalesW,	3_2_00448404
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0045243C
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: GetLocaleInfoW,	3_2_00452543
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00452610
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: GetLocaleInfoA,	3_2_0040F8D1
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: GetLocaleInfoW,	3_2_004488ED
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00451CD8
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: EnumSystemLocalesW,	3_2_00451F50
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: EnumSystemLocalesW,	3_2_00451F9B

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Queries volume information: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0040B164 GetLocalTime,wsprintfW,

3_2_0040B164

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_0041B60D GetUserNameW,

3_2_0041B60D

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_00449190

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_0041739B GetVersionExW,

6_2_0041739B

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected PureLog Stealer

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.30ad76c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Adobe.exe.269d284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053174536.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2042873217.0000000003087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2058916806.0000000002679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2257711507.0000000001357000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2339042347.0000000001627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2041417968.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2175641992.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5804, type: MEMORYSTR

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_0040BB30
Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Code function: \key3.db		3_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: ESMTPPassword	10_2_004033F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	10_2_00402DB3
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	10_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: Adobe.exe PID: 7836, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.40524c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.58a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.30ad76c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Adobe.exe.269d284.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053174536.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2042873217.0000000003087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2058916806.0000000002679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.413ad00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2257711507.0000000001357000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2339042347.0000000001627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2041417968.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2175641992.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5804, type: MEMORYSTR

Source: C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Code function: cmd.exe

3_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	11 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	22 Software Packing	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	222 Process Injection	1 DLL Side-Loading	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Bypass User Account Control	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	222 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	53%	ReversingLabs	Win32.Trojan.Remcos
Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	100%	Avira	HEUR/AGEN.1307356
Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Adobe\Adobe.exe	100%	Avira	HEUR/AGEN.1307356
C:\ProgramData\Adobe\Adobe.exe	100%	Joe Sandbox ML
C:\ProgramData\Adobe\Adobe.exe	53%	ReversingLabs	Win32.Trojan.Remcos

Source	Detection	Scanner	Label	Link
https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P	bhvAA55.tmp.6.dr	false		high
https://www.google.com	Adobe.exe, Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://www.office.com/	bhvAA55.tmp.6.dr	false		high
http://www.imvu.comr	Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073	bhvAA55.tmp.6.dr	false		high
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF	bhvAA55.tmp.6.dr	false		high
http://geoplugin.net/json.gpf	Adobe.exe, 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingaot	bhvAA55.tmp.6.dr	false		high
http://geoplugin.net/json.gp/C	Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://maps.windows.com/windows-app-web-link	bhvAA55.tmp.6.dr	false		high
https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e	bhvAA55.tmp.6.dr	false		high
http://www.imvu.com	Adobe.exe, Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingrms	bhvAA55.tmp.6.dr	false		high
https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac	Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, Adobe.exe.3.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/accounts/servicelogin	Adobe.exe	false		high
https://login.yahoo.com/config/login	Adobe.exe	false		high
http://www.nirsoft.net	Adobe.exe, 00000006.00000002.2145822794.0000000000DF4000.00000004.00000010.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingaotak	bhvAA55.tmp.6.dr	false		high
https://deff.nelreports.net/api/report?cat=msn	bhvAA55.tmp.6.dr	false		high
http://www.nirsoft.net/	Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://geoplugin.net/json.gp%Ea	Adobe.exe, 00000005.00000002.4500045437.0000000001482000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ebuddy.com	Adobe.exe, Adobe.exe, 0000000B.00000002.2140436616.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564681
Start date and time:	2024-11-28 17:41:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@30/7@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 159 Number of non-executed functions: 319
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
11:41:57	API Interceptor	2x Sleep call for process: Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe modified
11:41:58	API Interceptor	4742553x Sleep call for process: Adobe.exe modified
17:42:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
17:42:10	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
17:42:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.250.180.178	CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Get hash	malicious	Remcos	Browse
	PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Get hash	malicious	XWorm	Browse
	rSOD219ISF-____.scr.exe	Get hash	malicious	Remcos	Browse
	rWWTLCLtoUSADCL.scr.exe	Get hash	malicious	XWorm	Browse
	ttCOg61bOg.exe	Get hash	malicious	Remcos	Browse
	SKM_C364e24092511300346565787689900142344656767788755634232343456768953334466870.scr.exe	Get hash	malicious	Remcos	Browse
	ISF #U8a02#U8259#U55ae - KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
	ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exe	Get hash	malicious	Remcos	Browse
	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Get hash	malicious	XWorm	Browse
178.237.33.50	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SC_TR126089907.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	geoplugin.net/json.gp
	Banco Santander Totta _Aconselhamento_Pagamento.img	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	rem.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	Salary Revision _pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SC_TR126089907.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	178.237.33.50
	Banco Santander Totta _Aconselhamento_Pagamento.img	Get hash	malicious	Remcos	Browse	178.237.33.50
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	rem.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	Salary Revision _pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	104.250.180.178
	loligang.x86-20241128-1536.elf	Get hash	malicious	Mirai	Browse	38.95.109.118
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	38.206.86.187
	nabarm5.elf	Get hash	malicious	Unknown	Browse	45.74.38.161
	mips.elf	Get hash	malicious	Unknown	Browse	77.36.125.131
	akcqrfutuo.elf	Get hash	malicious	Unknown	Browse	154.17.91.183
	Mail-Manager.jar	Get hash	malicious	Unknown	Browse	184.174.97.32
	nklsh4.elf	Get hash	malicious	Unknown	Browse	194.71.126.13
	splm68k.elf	Get hash	malicious	Unknown	Browse	193.43.20.63
	nklx86.elf	Get hash	malicious	Unknown	Browse	196.19.8.215
ATOM86-ASATOM86NL	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SC_TR126089907.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	178.237.33.50
	Banco Santander Totta _Aconselhamento_Pagamento.img	Get hash	malicious	Remcos	Browse	178.237.33.50
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	rem.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	Salary Revision _pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

Process:	C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1129984
Entropy (8bit):	7.88700496193482
Encrypted:	false
SSDEEP:	24576:V2xjyUVJKPWlHhWp19hnxRpPNX7HLQUqckP9LbuLCnYng:IUUVJVlHkpVnx3d7HLpEVLtnY
MD5:	BC74E2D086D7BEF42C3604C1DAFC3EDB
SHA1:	F3BA507BEE10AF7E9FD64B1C70FECB975E216073
SHA-256:	B2A1E0E508BE9C7546A8AF45C72F2032F067AC036F03EC0C8309B368B195A65C
SHA-512:	0844FB41B40E29C363B7C62F39819569F405F6C038BC904AFE1D2296EC08F3F339AEF3F5E132B81BE25819A3C90013B86AF64E6737126175D8DE88EC1CFD972F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0......\........... ........@.. ....................................@.................................0...O........Y...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....Y.......Z..................@..@.reloc.......`.......<..............@..B................d.......H.......P<...5......$....q..H...........................................z..}.....(........}.....(..........0............{.....+..&...}.......0............{....o.....+......0..B.........{...., .{....o....,..(....o..........+....,...(....o....oB........0..B.........{...., .{....o....,..(....o..........+....,...(....o....oD.......r...p.{....%-.&.+.o....(....(....&..0..E.........{....o.........,1...}.....(.....{....o ...o!.....(....o....oB.....>..{.....o".......(#....

C:\ProgramData\Adobe\Adobe.exe:Zone.Identifier

Process:	C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

Process:	C:\ProgramData\Adobe\Adobe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.log

Process:	C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

Process:	C:\ProgramData\Adobe\Adobe.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.014904284428935
Encrypted:	false
SSDEEP:	12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	B66CFB6461E507BB577CDE91F270844E
SHA1:	6D952DE48032731679F8718D1F1C3F08202507C3
SHA-256:	E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
SHA-512:	B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\bhvAA55.tmp

Process:	C:\ProgramData\Adobe\Adobe.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x70d81a5e, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	17301504
Entropy (8bit):	0.8012511682998866
Encrypted:	false
SSDEEP:	6144:ydfjZb5aXEY2waXEY24URlWe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:AVQ4e81ySaKKjLrONseWe
MD5:	CAB39168771C7C02EDB5C0505CBA8342
SHA1:	B2F120C85B6E80C3D41B755673915A9160EDC3B2
SHA-256:	7B85C0679F94F239AD2B1DD505A1ADF65BA22A86BA9E61F473A8BF4ECC8E3780
SHA-512:	51312F4BCFD970E6775787056CC4796C2F1634E63D6B6B8FA094E51A5E2683E9D29F1ACCD9CA92EA6B8217AC1E13DFCD4F6E06B6C8BA59976B0CA78A778A2883
Malicious:	false
Preview:	p..^... .......;!......E{ow("...{........................@...../....{o.-)...\|..h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{].................................b...-)...\|..................pd..-)...\|...........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sjwnfpnrxvemnctydvpmlfmrafenxb

Process:	C:\ProgramData\Adobe\Adobe.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.88700496193482
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
File size:	1'129'984 bytes
MD5:	bc74e2d086d7bef42c3604c1dafc3edb
SHA1:	f3ba507bee10af7e9fd64b1c70fecb975e216073
SHA256:	b2a1e0e508be9c7546a8af45c72f2032f067ac036f03ec0c8309b368b195a65c
SHA512:	0844fb41b40e29c363b7c62f39819569f405f6c038bc904afe1d2296ec08f3f339aef3f5e132b81be25819a3c90013b86af64e6737126175d8de88ec1cfd972f
SSDEEP:	24576:V2xjyUVJKPWlHhWp19hnxRpPNX7HLQUqckP9LbuLCnYng:IUUVJVlHkpVnx3d7HLpEVLtnY
TLSH:	AC351294229AD903C4E20B741D72F7F447748E89EA15C747ABEABDEB7C3614629C03E4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0......\........... ........@.. ....................................@................................

File Icon


Icon Hash:	099bce4dd131078e

Static PE Info

General

Entrypoint:	0x50fe82
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6747D2AD [Thu Nov 28 02:17:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
adc dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], bh
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
push edi
add byte ptr [eax], al
add byte ptr [ebp+00h], bl
add byte ptr [eax], al
pop edi
add byte ptr [eax], al
add byte ptr [edx+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax], al
add byte ptr [edx], ch
add byte ptr [eax], al
add byte ptr [eax+eax+00h], dl
add byte ptr [ebx+00h], al
add byte ptr [eax], al
pop ebx
add byte ptr [eax], al
add byte ptr [eax+eax+00h], ah
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or dword ptr [eax], eax
add byte ptr [eax], al
adc eax, 1C000000h
add byte ptr [eax], al
add byte ptr [ebx], dh
add byte ptr [eax], al
add byte ptr [edi+00h], al
add byte ptr [eax], al
push eax
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [ebx], dl
add byte ptr [eax], al
add byte ptr [eax+eax], bh
add byte ptr [eax], al
sbb byte ptr [eax], al
add byte ptr [eax], al
dec ecx
add byte ptr [eax], al
add byte ptr [ebx+00h], cl
add byte ptr [eax], al
dec edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10fe30	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x110000	0x59f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x116000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10df08	0x10e000	d852b467af71dd786b2117d6894a5dad	False	0.942431640625	data	7.888509874015793	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x110000	0x59f4	0x5a00	36babcb3c4920bd28fffa06c17cf4c24	False	0.9309895833333334	data	7.857900423364007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x116000	0xc	0x200	0bb2543762757fb6025267c6875e9af0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x110100	0x531a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.968083106138949
RT_GROUP_ICON	0x11542c	0x14	data	1.05
RT_VERSION	0x115450	0x3a4	data	0.4366952789699571
RT_MANIFEST	0x115804	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-28T17:42:02.753462+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49707	104.250.180.178	7902	TCP
2024-11-28T17:42:05.960094+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49710	178.237.33.50	80	TCP
2024-11-28T17:42:06.097266+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49709	104.250.180.178	7902	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 17:42:00.861439943 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:00.983797073 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:00.983887911 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:00.989130020 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:01.110331059 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:02.698561907 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:02.753462076 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:02.964682102 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:02.968761921 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:03.095606089 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:03.095706940 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:03.216458082 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:03.838433981 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:03.840162039 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:03.960093021 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:04.208100080 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:04.215378046 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:04.269148111 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:04.335479021 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:04.335561037 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:04.366585016 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:04.491576910 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:04.501880884 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:42:04.621959925 CET	80	49710	178.237.33.50	192.168.2.5
Nov 28, 2024 17:42:04.622497082 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:42:04.626797915 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:42:04.748804092 CET	80	49710	178.237.33.50	192.168.2.5
Nov 28, 2024 17:42:05.960024118 CET	80	49710	178.237.33.50	192.168.2.5
Nov 28, 2024 17:42:05.960093975 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:42:05.970858097 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:06.049973965 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:06.097265959 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:06.118340015 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:06.338546991 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:06.343086958 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:06.463835955 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:06.463949919 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:06.585321903 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:06.959754944 CET	80	49710	178.237.33.50	192.168.2.5
Nov 28, 2024 17:42:06.959826946 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:42:07.212425947 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.212564945 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.212647915 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.246335983 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.246380091 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.246392012 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.246428013 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.246505022 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.246521950 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.246534109 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.246568918 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.246568918 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.255084991 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.257719994 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.257837057 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.260867119 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.266416073 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.266521931 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.422996998 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.423219919 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.423321962 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.499605894 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.499639034 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.500459909 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.503874063 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.508039951 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.508167028 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.508979082 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.513557911 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.513569117 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.513658047 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.519187927 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.519260883 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.519283056 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.527992964 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.528091908 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.528417110 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.536765099 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.536829948 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.536905050 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.545427084 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.545525074 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.545552015 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.554151058 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.554212093 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.554244995 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.562887907 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.562983990 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.563021898 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.571605921 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.571680069 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.571717024 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.580344915 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.580440044 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.633435011 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.633496046 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.633567095 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.637778044 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.691035032 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.739545107 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.784792900 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.831372976 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.831399918 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.831465960 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.835779905 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.835851908 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.835902929 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.844624043 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.844697952 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.844820976 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.853199959 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.853270054 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.853334904 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.861917973 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.862045050 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.862133026 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.879792929 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.879863977 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.879986048 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.883960962 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.883974075 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.884067059 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.892772913 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.892823935 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.892904997 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.901511908 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.901547909 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.901647091 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.910192966 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.910275936 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.910339117 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.918889046 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.918979883 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.919043064 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.927644968 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.927731037 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.927840948 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.936348915 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.936465979 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.936530113 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.945077896 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.945208073 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.945274115 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.953870058 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.954034090 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.954096079 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.962897062 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.963064909 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.963298082 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.971297026 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.971489906 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.971581936 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:07.980041981 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.980149031 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:07.980242014 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.002135992 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.002196074 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.002315998 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.006264925 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.006376982 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.006449938 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.014708996 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.014740944 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.014797926 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.023145914 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.023236036 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.023323059 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.031151056 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.031223059 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.031336069 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.039124966 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.039278984 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.039333105 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.047075987 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.047127962 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.047195911 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.055030107 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.055042982 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.055099964 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.062925100 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.063010931 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.063107967 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.070791960 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.070873022 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.070928097 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.078583956 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.078675032 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.078731060 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.086540937 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.086554050 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.086606979 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.094392061 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.094500065 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.094554901 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.099369049 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.099489927 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.099539042 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.104285955 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.104361057 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.104422092 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.109092951 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.109199047 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.109256983 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.114013910 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.114101887 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.114150047 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.119113922 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.119188070 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.119255066 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.123717070 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.123822927 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.123923063 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.128602028 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.128690004 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.128735065 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.133507013 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.133603096 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.133725882 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.136930943 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.137026072 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.137080908 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.140219927 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.140324116 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.140377045 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.143552065 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.143651962 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.143708944 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.146820068 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.146945953 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.147042036 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.150245905 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.150264978 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.150326967 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.153469086 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.153503895 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.153544903 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.156802893 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.156949043 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.157047987 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.174582958 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.174611092 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.174799919 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.175976038 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.176103115 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.176155090 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.179342031 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.179460049 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.179558039 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.182723999 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.182735920 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.182805061 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.185827017 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.186069012 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.186116934 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.188972950 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.189028978 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.189075947 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.192231894 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.192311049 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.192404032 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.195282936 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.195394993 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.195477009 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.198452950 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.198548079 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.198643923 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.201720953 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.201896906 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.202042103 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.204783916 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.204875946 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.204927921 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.208065033 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.208076000 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.208125114 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.211100101 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.211246967 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.211296082 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.214246988 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.214257956 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.214317083 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.217350960 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.217607021 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.217653036 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.220602036 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.220694065 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.220745087 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.223570108 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.223743916 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.223797083 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.226660967 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.226800919 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.226856947 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.242917061 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.242954969 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.243000031 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.244299889 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.244426966 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.244472027 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.247428894 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.288698912 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.297308922 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.297336102 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.297414064 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.297950029 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.298126936 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.298181057 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.300293922 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.300375938 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.300458908 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.302576065 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.302680969 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.302747011 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.304860115 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.304963112 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.305005074 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.307153940 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.307249069 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.307311058 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.309516907 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.309554100 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.309603930 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.311784983 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.311903954 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.311976910 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.314168930 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.314344883 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.314532042 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.316397905 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.316534996 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.316601038 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.318654060 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.318737984 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.318794966 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.320980072 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.321088076 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.321152925 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.323281050 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.323374987 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.323424101 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.325089931 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.325182915 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.325262070 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.326885939 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.326961040 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.327023029 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.328753948 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.328865051 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.328912973 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.330513954 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.330619097 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.330687046 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.332315922 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.332416058 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.332470894 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.334182024 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.334294081 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.334358931 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.335797071 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.335902929 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.335975885 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.337398052 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.337459087 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.337558031 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.339009047 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.339122057 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.339169025 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.340687990 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.340795994 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.340848923 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.342274904 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.342398882 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.342454910 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.343910933 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.344062090 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.344173908 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.345535994 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.345639944 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.345701933 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.347208977 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.349298954 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.349345922 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.349411964 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.350155115 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.350193977 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.350209951 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.354171038 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.354238033 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.354263067 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.354914904 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.354964018 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.359967947 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.360095978 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.360145092 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.360796928 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.360889912 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.360951900 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.364994049 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.365098953 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.365164995 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.365730047 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.370311022 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.370359898 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.370393991 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.371071100 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.371131897 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.371140957 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.374304056 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.374375105 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.374397039 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.375039101 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.375109911 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.381325960 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.381433010 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.381541967 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.382050991 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.385426998 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.385591030 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.385696888 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.386122942 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.386161089 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.386209965 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.389976025 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.390027046 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.390072107 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.390693903 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.390732050 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.399008989 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.399085045 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.399224043 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.399673939 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.404643059 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.404694080 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.404726028 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.405376911 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.405419111 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.409248114 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.409410000 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.409460068 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.409879923 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.416476965 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.416552067 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.416589022 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.417195082 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.417273998 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.424549103 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.424621105 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.424669027 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.425252914 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.427902937 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.427980900 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.428009987 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.428643942 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.428668976 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.439374924 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.439467907 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.439511061 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.440107107 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.445266962 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.445310116 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.445346117 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.446085930 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.446140051 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.446218967 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.455475092 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.455523014 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.455526114 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.456186056 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.456248999 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.463978052 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.464107037 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.464159012 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.464689016 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.471010923 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.471079111 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.471107006 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.471700907 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.471772909 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.480676889 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.480731964 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.480782032 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.484177113 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.484246969 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.484321117 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.484555960 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.484596968 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.484671116 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.489787102 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.489797115 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.489859104 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.495811939 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.495913982 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.495956898 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.496517897 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.496601105 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.496649027 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.500262022 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.500372887 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.500407934 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.500849962 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.504606962 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.504647970 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.504669905 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.504973888 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.505016088 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.505078077 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.506181955 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.506211042 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.514095068 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.514170885 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.514219999 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.514658928 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.514777899 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.514897108 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.515614033 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.519088030 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.519141912 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.519200087 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.519644976 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.519706011 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.525558949 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.525603056 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.525645018 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.526165009 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.526448965 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.526509047 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.530702114 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.530813932 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.530878067 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.531281948 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.536540985 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.536598921 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.536670923 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.537201881 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.537240028 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.537470102 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.539757013 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.539836884 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.539884090 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.540328979 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.540410042 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.540575027 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.540734053 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.540832043 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.541676044 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.544604063 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.544648886 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.544722080 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.545209885 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.545289993 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.545460939 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.545659065 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.545712948 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.549935102 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.549943924 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.550024986 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.550256014 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.550364971 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.550498009 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.555017948 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.555124998 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.555237055 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.555577040 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.562681913 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.562695026 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.562758923 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.563208103 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.563268900 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.564985991 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.565243006 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.565310001 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.565552950 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.565886974 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.565928936 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.565944910 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.566912889 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.567003012 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.572071075 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.572187901 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.572247982 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.572737932 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.575396061 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.575459003 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.575478077 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.584518909 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.584598064 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.584626913 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.584984064 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.585036993 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.615025043 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.615113974 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.615204096 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.623931885 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.624031067 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.624114990 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.624481916 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.624593973 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.624641895 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.625526905 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.629216909 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.629290104 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.629323006 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.629735947 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.629796982 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.634166956 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.634207964 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.634277105 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.634664059 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.634742975 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.634810925 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.671773911 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.672020912 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.672117949 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.672266960 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.689269066 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.689328909 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.689426899 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.689811945 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.689855099 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.689857960 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.706201077 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.706264973 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.706399918 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.735888958 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.735972881 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.736097097 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.738751888 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.738822937 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.738854885 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.739319086 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.739367008 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.739428997 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.742690086 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.742723942 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.742758036 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.743186951 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.743257999 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.745565891 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.745681047 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.745726109 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.746088028 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.746218920 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.746268988 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.746319056 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.747387886 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.747468948 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.747510910 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.748404026 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.748482943 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.750154018 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.750262976 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.750322104 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.782551050 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.782613993 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.782697916 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.784534931 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.784742117 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.784807920 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.785060883 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.785111904 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.785175085 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.789413929 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.789429903 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.789475918 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.789932013 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.794126987 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.794178009 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.794198990 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.794615984 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.794713974 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.804235935 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.804342031 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.804403067 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.804666042 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.809453964 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.809499979 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.809628963 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.809880972 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.809937000 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.814084053 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.814176083 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.814244032 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.814620972 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.814768076 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.814815044 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.814825058 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.815812111 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.815857887 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.819528103 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.819597006 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.819664001 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.819973946 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.824161053 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.824224949 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.824506998 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.824616909 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.824675083 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.825578928 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.825596094 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.825664043 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.834269047 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.834362030 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.834443092 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.834784031 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.834913969 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.834983110 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.835021019 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.835949898 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.836009026 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.839349031 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.839427948 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.839497089 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.839840889 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.844609976 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.844660044 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.844666958 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.849272013 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.849323034 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.849430084 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.849755049 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.849821091 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.853996038 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.854115963 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.854196072 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.854456902 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.854609013 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.854649067 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.854701042 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.855693102 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.855734110 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.859416962 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.859832048 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.859909058 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.859931946 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.864376068 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.864418030 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.864443064 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.864839077 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.864892960 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.870918989 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.871026993 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.871135950 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.871417999 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.874496937 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.874566078 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.874591112 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.874959946 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.875010014 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.879187107 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.879597902 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.879652977 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:08.879729033 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.884290934 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.884315014 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:08.886127949 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:10.092252970 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:10.213805914 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.213824034 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.213833094 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.213843107 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.213855982 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.213962078 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:10.244410992 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.244426012 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.245882988 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.245902061 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.289093971 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.336544037 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.336555004 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.336595058 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.366801977 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.366815090 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.366823912 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.367410898 CET	7902	49709	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:10.367486000 CET	49709	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:24.789659977 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:24.809555054 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:24.930607080 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:54.810672045 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:42:54.811925888 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:42:54.932791948 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:43:24.823656082 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:43:24.825129986 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:43:24.945329905 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:43:54.259391069 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:43:54.583841085 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:43:54.861778021 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:43:54.865750074 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:43:54.986984968 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:43:55.224473953 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:43:56.490143061 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:43:59.021442890 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:44:04.099639893 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:44:14.193613052 CET	49710	80	192.168.2.5	178.237.33.50
Nov 28, 2024 17:44:24.861752987 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:44:24.862946033 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:44:24.982878923 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:44:54.891928911 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:44:54.893126965 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:44:55.017966986 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:45:24.892757893 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:45:24.894336939 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:45:25.014868975 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:45:54.902945042 CET	7902	49707	104.250.180.178	192.168.2.5
Nov 28, 2024 17:45:54.904748917 CET	49707	7902	192.168.2.5	104.250.180.178
Nov 28, 2024 17:45:55.024786949 CET	7902	49707	104.250.180.178	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 17:42:04.275909901 CET	63566	53	192.168.2.5	1.1.1.1
Nov 28, 2024 17:42:04.494575977 CET	53	63566	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2024 17:42:04.275909901 CET	192.168.2.5	1.1.1.1	0xc6bf	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 17:42:04.494575977 CET	1.1.1.1	192.168.2.5	0xc6bf	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	178.237.33.50	80	7636	C:\ProgramData\Adobe\Adobe.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 17:42:04.626797915 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Nov 28, 2024 17:42:05.960024118 CET	1171	IN	HTTP/1.1 200 OK date: Thu, 28 Nov 2024 16:42:05 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	11:41:56
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"
Imagebase:	0x9f0000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2053174536.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2048765608.0000000004B7E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2048765608.0000000004039000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2048765608.0000000004072000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2042873217.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	11:41:58
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"
Imagebase:	0xd10000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.2040907335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2041417968.0000000001507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	11:41:58
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0x250000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2058916806.0000000002679000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	11:42:00
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xc80000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4500045437.0000000001437000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	6
Start time:	11:42:08
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\sjwnfpnrxvemnctydvpmlfmrafenxb"
Imagebase:	0xb50000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	11:42:08
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"
Imagebase:	0x170000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	11:42:08
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"
Imagebase:	0x340000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	11:42:08
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"
Imagebase:	0x270000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	11:42:08
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ddbggzyktewzxiicugbnokhajlwoymmlyl"
Imagebase:	0x8c0000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	11:42:08
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ffhrgs"
Imagebase:	0x5c0000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	11:42:10
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0x6e0000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	11:42:11
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0x620000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2175641992.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	15
Start time:	11:42:18
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0x550000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	16
Start time:	11:42:20
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0x110000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	17
Start time:	11:42:20
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xe60000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2257711507.0000000001357000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	18
Start time:	11:42:27
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0x110000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	19
Start time:	11:42:28
Start date:	28/11/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xfd0000
File size:	1'129'984 bytes
MD5 hash:	BC74E2D086D7BEF42C3604C1DAFC3EDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.2339042347.0000000001627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true