Edit tour

Windows Analysis Report
x4l3iVpFSc.exe

Overview

General Information

Sample name:	x4l3iVpFSc.exe renamed because original name is a hash value
Original sample name:	184a555eb9e981564e4dd08321f466d1f643c6082d309a2acf6ede5add96c7cc.exe
Analysis ID:	1632425
MD5:	f34b45032d884d86f62b2a0331a1c9de
SHA1:	48b550d96098933548a7787f4b8e96de25fc1bba
SHA256:	184a555eb9e981564e4dd08321f466d1f643c6082d309a2acf6ede5add96c7cc
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

x4l3iVpFSc.exe (PID: 6572 cmdline: "C:\Users\user\Desktop\x4l3iVpFSc.exe" MD5: F34B45032D884D86F62B2A0331A1C9DE)

x4l3iVpFSc.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\x4l3iVpFSc.exe" MD5: F34B45032D884D86F62B2A0331A1C9DE)

adobe.exe (PID: 7744 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: F34B45032D884D86F62B2A0331A1C9DE)

adobe.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: F34B45032D884D86F62B2A0331A1C9DE)

adobe.exe (PID: 7832 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: F34B45032D884D86F62B2A0331A1C9DE)

adobe.exe (PID: 8148 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: F34B45032D884D86F62B2A0331A1C9DE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dod", "Password": "Doll900@@"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.1982245399.0000000002FED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.1985241633.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1985241633.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2441073998.0000000003017000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2441073998.0000000003017000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2441073998.000000000304A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2440123825.000000000338A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2440123825.0000000003357000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2440123825.0000000003357000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1476195329.0000000005630000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.1985241633.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1893124137.0000000002901000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: x4l3iVpFSc.exe PID: 6572	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: x4l3iVpFSc.exe PID: 6572	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: x4l3iVpFSc.exe PID: 7508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: x4l3iVpFSc.exe PID: 7508	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7744	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: adobe.exe PID: 7744	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: adobe.exe PID: 7832	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: adobe.exe PID: 7832	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: adobe.exe PID: 7992	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7992	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 8148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 8148	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.x4l3iVpFSc.exe.5630000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.x4l3iVpFSc.exe.5630000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\x4l3iVpFSc.exe, ProcessId: 7508, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: x4l3iVpFSc.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Avira: detection malicious, Label: TR/AVI.PWS.Agent.hglxv

Found malware configuration

Source: adobe.exe.8148.14.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dod", "Password": "Doll900@@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Virustotal: Detection: 63%			Perma Link
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: x4l3iVpFSc.exe	Virustotal: Detection: 63%			Perma Link
Source: x4l3iVpFSc.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: x4l3iVpFSc.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49693 version: TLS 1.2

Source: x4l3iVpFSc.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1477309607.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1470767093.0000000003D72000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003953000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.2005831500.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1477309607.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1470767093.0000000003D72000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003953000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.2005831500.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 4x nop then jmp 05D45680h	0_2_05D455C0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 4x nop then jmp 05D45680h	0_2_05D455C8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4x nop then jmp 06275680h	10_2_062755C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4x nop then jmp 06275680h	10_2_062755C8

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 213.189.52.181 213.189.52.181

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 213.189.52.181:21 -> 192.168.2.10:49688 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:37. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:37. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:37. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com

Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: adobe.exe.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: x4l3iVpFSc.exe, 00000008.00000002.2440123825.000000000338A000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.000000000304A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: x4l3iVpFSc.exe, 00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1893124137.0000000002901000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.1982245399.0000000003045000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: x4l3iVpFSc.exe, adobe.exe.8.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.2005831500.000000000447C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: x4l3iVpFSc.exe, 00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1893124137.0000000002901000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.1982245399.0000000003045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49693 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D46E88 NtProtectVirtualMemory,	0_2_05D46E88
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D4A8E0 NtResumeThread,	0_2_05D4A8E0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D46E80 NtProtectVirtualMemory,	0_2_05D46E80
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D4A8D8 NtResumeThread,	0_2_05D4A8D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06276E88 NtProtectVirtualMemory,	10_2_06276E88
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_0627A8E0 NtResumeThread,	10_2_0627A8E0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06276E81 NtProtectVirtualMemory,	10_2_06276E81
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_0627A8D8 NtResumeThread,	10_2_0627A8D8

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_0295AAF0	0_2_0295AAF0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_0295ECE8	0_2_0295ECE8
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_02951921	0_2_02951921
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_02951EF0	0_2_02951EF0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_0295AAE0	0_2_0295AAE0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_0295B388	0_2_0295B388
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_0295B480	0_2_0295B480
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D43AF0	0_2_05D43AF0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D43AE0	0_2_05D43AE0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D6F618	0_2_05D6F618
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D6F308	0_2_05D6F308
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D6DD80	0_2_05D6DD80
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D50040	0_2_05D50040
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 0_2_05D50006	0_2_05D50006
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_031493D8	8_2_031493D8
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03146BF0	8_2_03146BF0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_0314A840	8_2_0314A840
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03145890	8_2_03145890
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03149FF0	8_2_03149FF0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_0314CC58	8_2_0314CC58
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_0314D10F	8_2_0314D10F
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_0314D0E5	8_2_0314D0E5
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03149720	8_2_03149720
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03142B48	8_2_03142B48
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03146BE0	8_2_03146BE0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03142ADE	8_2_03142ADE
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_0314A831	8_2_0314A831
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03145862	8_2_03145862
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06EAF768	8_2_06EAF768
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06EA5AF0	8_2_06EA5AF0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06EA63B8	8_2_06EA63B8
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06EA5AD9	8_2_06EA5AD9
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06EA63A8	8_2_06EA63A8
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE96B0	8_2_06FE96B0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE7608	8_2_06FE7608
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FED288	8_2_06FED288
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEAA58	8_2_06FEAA58
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE0040	8_2_06FE0040
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE2170	8_2_06FE2170
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEEE90	8_2_06FEEE90
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEAFF2	8_2_06FEAFF2
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEBCC8	8_2_06FEBCC8
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE75FA	8_2_06FE75FA
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE1D30	8_2_06FE1D30
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE1D20	8_2_06FE1D20
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE9AC8	8_2_06FE9AC8
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE9ABF	8_2_06FE9ABF
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FED278	8_2_06FED278
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE8258	8_2_06FE8258
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE8248	8_2_06FE8248
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEAA49	8_2_06FEAA49
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEA228	8_2_06FEA228
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEF200	8_2_06FEF200
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE5BC9	8_2_06FE5BC9
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEC3C0	8_2_06FEC3C0
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEE360	8_2_06FEE360
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEE350	8_2_06FEE350
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE8B10	8_2_06FE8B10
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE5870	8_2_06FE5870
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEC808	8_2_06FEC808
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE2160	8_2_06FE2160
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE5160	8_2_06FE5160
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE5150	8_2_06FE5150
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FEB920	8_2_06FEB920
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_00FFAAF0	9_2_00FFAAF0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_00FFECE8	9_2_00FFECE8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_00FF1924	9_2_00FF1924
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_00FF1EF0	9_2_00FF1EF0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_00FFAAE0	9_2_00FFAAE0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_00FFB388	9_2_00FFB388
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_00FFB480	9_2_00FFB480
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02D5AAF0	10_2_02D5AAF0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02D5ECE8	10_2_02D5ECE8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02D51923	10_2_02D51923
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02D51EF0	10_2_02D51EF0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02D5AAE0	10_2_02D5AAE0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02D5B388	10_2_02D5B388
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02D5B480	10_2_02D5B480
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_062736E8	10_2_062736E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_062736D8	10_2_062736D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06276971	10_2_06276971
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_0629F618	10_2_0629F618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_0629F308	10_2_0629F308
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_0629DD80	10_2_0629DD80
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_0628001F	10_2_0628001F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06280040	10_2_06280040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_011493D8	13_2_011493D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0114A4F0	13_2_0114A4F0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0114A840	13_2_0114A840
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01146BF0	13_2_01146BF0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0114CC57	13_2_0114CC57
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01149FF0	13_2_01149FF0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0114D10F	13_2_0114D10F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0114D0E5	13_2_0114D0E5
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0114A4E1	13_2_0114A4E1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01149720	13_2_01149720
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0114A830	13_2_0114A830
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01145862	13_2_01145862
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01145890	13_2_01145890
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01142ADE	13_2_01142ADE
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01142B48	13_2_01142B48
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01146BE0	13_2_01146BE0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01142ADE	13_2_01142ADE
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06721120	13_2_06721120
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06722E30	13_2_06722E30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06723EB8	13_2_06723EB8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06723890	13_2_06723890
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06720040	13_2_06720040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06721110	13_2_06721110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06722E30	13_2_06722E30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06723186	13_2_06723186
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06722E21	13_2_06722E21
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06723EA9	13_2_06723EA9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06722E30	13_2_06722E30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06723EB8	13_2_06723EB8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06733E70	13_2_06733E70
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673C428	13_2_0673C428
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673ECB0	13_2_0673ECB0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673CA60	13_2_0673CA60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673A230	13_2_0673A230
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673DB38	13_2_0673DB38
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06738B20	13_2_06738B20
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06730040	13_2_06730040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06731948	13_2_06731948
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673E668	13_2_0673E668
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673BFE0	13_2_0673BFE0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673A7CA	13_2_0673A7CA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067314F8	13_2_067314F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673B4A0	13_2_0673B4A0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673ECAF	13_2_0673ECAF
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06731508	13_2_06731508
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06736DE0	13_2_06736DE0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06736DD0	13_2_06736DD0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673CA50	13_2_0673CA50
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06737A30	13_2_06737A30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673A223	13_2_0673A223
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06737A2A	13_2_06737A2A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06739A00	13_2_06739A00
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067382E8	13_2_067382E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067392A0	13_2_067392A0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06739292	13_2_06739292
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673DB29	13_2_0673DB29
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067353A1	13_2_067353A1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673BB98	13_2_0673BB98
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06735048	13_2_06735048
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06730007	13_2_06730007
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_0673B0F8	13_2_0673B0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06734938	13_2_06734938
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_06731938	13_2_06731938
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067A5298	13_2_067A5298
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067A5B60	13_2_067A5B60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067AEF10	13_2_067AEF10
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067A5281	13_2_067A5281
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067A5B51	13_2_067A5B51
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D93D8	14_2_014D93D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DA4F0	14_2_014DA4F0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D9720	14_2_014D9720
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DA840	14_2_014DA840
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D6BF0	14_2_014D6BF0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DCC57	14_2_014DCC57
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DAC38	14_2_014DAC38
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D9FF0	14_2_014D9FF0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DD10F	14_2_014DD10F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D3110	14_2_014D3110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D31B4	14_2_014D31B4
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DD0E5	14_2_014DD0E5
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DA4E1	14_2_014DA4E1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D5481	14_2_014D5481
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DA830	14_2_014DA830
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D5890	14_2_014D5890
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D2B48	14_2_014D2B48
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D2B38	14_2_014D2B38
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D6BE0	14_2_014D6BE0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014DAC29	14_2_014DAC29
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD8414	14_2_06AD8414
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD2E30	14_2_06AD2E30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD4C80	14_2_06AD4C80
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD4A70	14_2_06AD4A70
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD1120	14_2_06AD1120
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD3EB8	14_2_06AD3EB8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD3890	14_2_06AD3890
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD0040	14_2_06AD0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD2E30	14_2_06AD2E30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD2E21	14_2_06AD2E21
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD4C80	14_2_06AD4C80
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD8B1F	14_2_06AD8B1F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD3186	14_2_06AD3186
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD2E30	14_2_06AD2E30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD1110	14_2_06AD1110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD3EA9	14_2_06AD3EA9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD3EB8	14_2_06AD3EB8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD7A28	14_2_06AD7A28
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AD7A23	14_2_06AD7A23
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AECF18	14_2_06AECF18
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEECB0	14_2_06AEECB0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEC428	14_2_06AEC428
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEA230	14_2_06AEA230
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AECA50	14_2_06AECA50
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE8B20	14_2_06AE8B20
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEDB38	14_2_06AEDB38
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE0040	14_2_06AE0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE1938	14_2_06AE1938
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEE668	14_2_06AEE668
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEBFE0	14_2_06AEBFE0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEA7CA	14_2_06AEA7CA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEECA7	14_2_06AEECA7
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEB4A0	14_2_06AEB4A0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE14F8	14_2_06AE14F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE6DE0	14_2_06AE6DE0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE6DD0	14_2_06AE6DD0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE92A0	14_2_06AE92A0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE9292	14_2_06AE9292
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE82E8	14_2_06AE82E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE7A26	14_2_06AE7A26
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEA223	14_2_06AEA223
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE7A30	14_2_06AE7A30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE9A00	14_2_06AE9A00
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE53A1	14_2_06AE53A1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEBB98	14_2_06AEBB98
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEDB29	14_2_06AEDB29
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AEB0F8	14_2_06AEB0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE0006	14_2_06AE0006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE4928	14_2_06AE4928
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06AE4938	14_2_06AE4938
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06B55690	14_2_06B55690
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06B55281	14_2_06B55281
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_06B55B51	14_2_06B55B51

Source: x4l3iVpFSc.exe

Static PE information: invalid certificate

Source: x4l3iVpFSc.exe, 00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000000.1170513731.00000000005E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLnhyowpy.exe< vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDlsgglor.dll" vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1460625473.0000000002B95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1477309607.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1473020471.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDlsgglor.dll" vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.0000000003D72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDlsgglor.dll" vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.0000000003D72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe, 00000008.00000002.2434249895.00000000011E9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs x4l3iVpFSc.exe
Source: x4l3iVpFSc.exe	Binary or memory string: OriginalFilenameLnhyowpy.exe< vs x4l3iVpFSc.exe

Source: x4l3iVpFSc.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

File created: C:\Users\user\AppData\Roaming\adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Mutant created: NULL

Source: x4l3iVpFSc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: x4l3iVpFSc.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: x4l3iVpFSc.exe	Virustotal: Detection: 63%
Source: x4l3iVpFSc.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

File read: C:\Users\user\Desktop\x4l3iVpFSc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\x4l3iVpFSc.exe "C:\Users\user\Desktop\x4l3iVpFSc.exe"
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process created: C:\Users\user\Desktop\x4l3iVpFSc.exe "C:\Users\user\Desktop\x4l3iVpFSc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process created: C:\Users\user\Desktop\x4l3iVpFSc.exe "C:\Users\user\Desktop\x4l3iVpFSc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: x4l3iVpFSc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: x4l3iVpFSc.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: x4l3iVpFSc.exe

Static file information: File size 3137440 > 1048576

Source: x4l3iVpFSc.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2a0400

Source: x4l3iVpFSc.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1477309607.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1470767093.0000000003D72000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003953000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.2005831500.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: x4l3iVpFSc.exe, 00000000.00000002.1470767093.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1477309607.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1470767093.0000000003D72000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003953000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.2005831500.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: x4l3iVpFSc.exe, ConnectedHandler.cs	.Net Code: RemoveHandler System.AppDomain.Load(byte[])
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.x4l3iVpFSc.exe.5da0000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.x4l3iVpFSc.exe.39e5570.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.x4l3iVpFSc.exe.3ea6e40.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.x4l3iVpFSc.exe.5630000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x4l3iVpFSc.exe.5630000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1982245399.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1476195329.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1893124137.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x4l3iVpFSc.exe PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7832, type: MEMORYSTR

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03140789 push eax; ret	8_2_0314078A
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_031407D9 push eax; ret	8_2_031407DA
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_031407F0 push eax; ret	8_2_031407FA
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_031407E0 push eax; ret	8_2_031407EA
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03140810 push eax; ret	8_2_0314081A
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_03140800 push eax; ret	8_2_0314080A
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE6D5B push es; retf	8_2_06FE6D5C
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Code function: 8_2_06FE2B09 push es; iretd	8_2_06FE2B0C
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06272568 push es; iretd	10_2_06272584
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06275C98 push es; retn 0005h	10_2_06275C9A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06275D2F push es; retn 0005h	10_2_06275D32
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06277D41 push ss; retn 0005h	10_2_06277D42
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06276B28 push cs; retn 0005h	10_2_06276B2A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06271818 push es; retf	10_2_06271844
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06279840 pushfd ; retn 0005h	10_2_06279841
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_0627184E push es; iretd	10_2_06271874
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01140789 push eax; ret	13_2_0114078A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_011407D9 push eax; ret	13_2_011407DA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_011407F0 push eax; ret	13_2_011407FA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_011407E0 push eax; ret	13_2_011407EA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01140810 push eax; ret	13_2_0114081A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_01140800 push eax; ret	13_2_0114080A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067AA24B push es; ret	13_2_067AA24C
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067A273F push es; retf	13_2_067A2740
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067A27D5 push es; retf	13_2_067A27DC
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 13_2_067AA1E7 push es; ret	13_2_067AA1E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D0769 push eax; ret	14_2_014D076A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D07D9 push eax; ret	14_2_014D07DA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D07E0 push eax; ret	14_2_014D07EA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D07F0 push eax; ret	14_2_014D07FA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_014D0789 push eax; ret	14_2_014D078A

Source: 0.2.x4l3iVpFSc.exe.4fd0000.6.raw.unpack, XdUhjJCbHrAMRbPVHZZ.cs

High entropy of concatenated method names: 'UdDCvMmUPu', 'f4YC1u6eGx', 'lVLC9JCYRM', 'gYvCGQR7us', 'GkqCR1bm7W', 'A2dCZjIqXL', 'Fr3CoYtxwF', 'wYjCSmsxEs', 'J5xCunJxcI', 'mXqCYoZYNQ'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: x4l3iVpFSc.exe PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7832, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: x4l3iVpFSc.exe, 00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1893124137.0000000002901000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.1982245399.0000000002FED000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Memory allocated: 5300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596201	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 595971	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599642	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599494	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599372	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599221	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598905	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598689	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598559	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598449	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598338	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598201	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596887	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595864	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595682	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595449	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594822	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594693	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594576	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594432	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598428	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598117	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598009	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597886	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597639	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597502	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594511	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594121	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593998	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593344	Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Window / User API: threadDelayed 7592	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Window / User API: threadDelayed 2195	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 4110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 3380	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 5762	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 4066	Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7624	Thread sleep count: 7592 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7624	Thread sleep count: 2195 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -596201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -595971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -593610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -593485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe TID: 7620	Thread sleep time: -593360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8100	Thread sleep count: 4110 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8100	Thread sleep count: 3380 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -599642s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -599494s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -599372s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -599221s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -598905s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -598689s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -598559s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -598449s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -598338s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -598201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596887s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596670s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -595864s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -595682s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -595449s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -595304s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -595200s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -594822s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -594693s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -594576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -594432s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8096	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1740	Thread sleep count: 5762 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1740	Thread sleep count: 4066 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -598624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -598428s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -598117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -598009s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -597886s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -597639s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -597502s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -595061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -594511s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -594121s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -593998s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -593890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -593781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -593672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -593562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -593453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2044	Thread sleep time: -593344s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596201	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 595971	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599642	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599494	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599372	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599221	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598905	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598689	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598559	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598449	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598338	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598201	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596887	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595864	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595682	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595449	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594822	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594693	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594576	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594432	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598428	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598117	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598009	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597886	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597639	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597502	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594511	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594121	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593998	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593344	Jump to behavior

Source: adobe.exe, 0000000A.00000002.1982245399.000000000303E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: adobe.exe, 0000000A.00000002.1982245399.000000000303E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: adobe.exe, 0000000D.00000002.1982515283.0000000000F94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: x4l3iVpFSc.exe, 00000008.00000002.2461996059.0000000006840000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: adobe.exe, 0000000E.00000002.2437040806.000000000125F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Memory written: C:\Users\user\Desktop\x4l3iVpFSc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Process created: C:\Users\user\Desktop\x4l3iVpFSc.exe "C:\Users\user\Desktop\x4l3iVpFSc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Users\user\Desktop\x4l3iVpFSc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Users\user\Desktop\x4l3iVpFSc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000000D.00000002.1985241633.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2441073998.0000000003017000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2441073998.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2440123825.000000000338A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2440123825.0000000003357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1985241633.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x4l3iVpFSc.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 8148, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\x4l3iVpFSc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0000000D.00000002.1985241633.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2441073998.0000000003017000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2440123825.0000000003357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x4l3iVpFSc.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 8148, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000000D.00000002.1985241633.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2441073998.0000000003017000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2441073998.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2440123825.000000000338A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2440123825.0000000003357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1985241633.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x4l3iVpFSc.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 8148, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	2 Obfuscated Files or Information	11 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Software Packing	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x4l3iVpFSc.exe	64%	Virustotal		Browse
x4l3iVpFSc.exe	61%	ReversingLabs	Win32.Trojan.AgentTesla
x4l3iVpFSc.exe	100%	Avira	TR/AVI.PWS.Agent.hglxv

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Avira	TR/AVI.PWS.Agent.hglxv
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	64%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	61%	ReversingLabs	Win32.Trojan.AgentTesla

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
s4.serv00.com	213.189.52.181	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org	x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	x4l3iVpFSc.exe, 00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1893124137.0000000002901000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.1982245399.0000000003045000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.dyn.com/	x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	x4l3iVpFSc.exe, 00000000.00000002.1470767093.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.2005831500.000000000447C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org/t	x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	x4l3iVpFSc.exe, 00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, x4l3iVpFSc.exe, 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1893124137.0000000002901000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.1982245399.0000000003045000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	x4l3iVpFSc.exe, 00000000.00000002.1476797367.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000009.00000002.1904336749.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://s4.serv00.com	x4l3iVpFSc.exe, 00000008.00000002.2440123825.000000000338A000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000D.00000002.1985241633.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000E.00000002.2441073998.000000000304A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
213.189.52.181	s4.serv00.com	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632425
Start date and time:	2025-03-07 23:35:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	x4l3iVpFSc.exe renamed because original name is a hash value
Original Sample Name:	184a555eb9e981564e4dd08321f466d1f643c6082d309a2acf6ede5add96c7cc.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@2/2
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 430 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Execution Graph export aborted for target adobe.exe, PID 7744 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:37:36	API Interceptor	698068x Sleep call for process: x4l3iVpFSc.exe modified
17:38:19	API Interceptor	8793x Sleep call for process: adobe.exe modified
23:37:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
23:37:46	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	get_txt.ps1	Get hash	malicious	LummaC Stealer	Browse	api.ipify.org/
	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	R1TftmQpuQ.bat	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	SpacesVoid Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
213.189.52.181	kbdXtadZsM.exe	Get hash	malicious	AgentTesla	Browse
	NBdxPYAgZf.exe	Get hash	malicious	AgentTesla	Browse
	5aQpYG37db.exe	Get hash	malicious	AgentTesla	Browse
	fls3eql72b.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.18789.13214.exe	Get hash	malicious	AgentTesla	Browse
	I24560875423784426VTL.exe	Get hash	malicious	AgentTesla	Browse
	HBL - Invoice PIOP94893KM.scr.exe	Get hash	malicious	AgentTesla	Browse
	I2456087542378TL.exe	Get hash	malicious	AgentTesla	Browse
	REF-ALYAV-QINHP5-TIS-L202299 - (AL DHAFRA) SUPPLY.exe	Get hash	malicious	AgentTesla	Browse
	BSDOC-2025.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s4.serv00.com	kbdXtadZsM.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	NBdxPYAgZf.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	5aQpYG37db.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	fls3eql72b.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	SecuriteInfo.com.Win32.CrypterX-gen.18789.13214.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	I24560875423784426VTL.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	HBL - Invoice PIOP94893KM.scr.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	I2456087542378TL.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	REF-ALYAV-QINHP5-TIS-L202299 - (AL DHAFRA) SUPPLY.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BSDOC-2025.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
api.ipify.org	HCoITD94bW.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ZWyrFp7WBM.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	xnlP06YunJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	kbdXtadZsM.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	NBdxPYAgZf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	tmezkNPazz.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.12.205
	Launcher.exe	Get hash	malicious	Growtopia, Phoenix Stealer	Browse	104.26.13.205
	Launcher.exe	Get hash	malicious	Growtopia	Browse	104.26.13.205
	Launcher.exe	Get hash	malicious	Growtopia, Phoenix Stealer	Browse	104.26.12.205
	5aQpYG37db.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	mCqTwcbnfm.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	n8l3NmC5EH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	DbAAqJQFmx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Dear david@corerecon.com - Your Stay Has Been Successfully Booked Ocean Breeze Retreat.msg	Get hash	malicious	ScreenConnect Tool	Browse	1.1.1.1
	OW1i3n5K3s.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	Dropper.exe	Get hash	malicious	AsyncRAT, Trap Stealer, XWorm	Browse	162.159.135.232
	XFo9jVGyLQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	44zFWmsOGn.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	6KzB3ReZ6z.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	UqdykLLTA2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
ECO-ATMAN-PLECO-ATMAN-PL	kbdXtadZsM.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	NBdxPYAgZf.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	5aQpYG37db.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	fls3eql72b.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	SecuriteInfo.com.Win32.CrypterX-gen.18789.13214.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	I24560875423784426VTL.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	PO#10800.exe	Get hash	malicious	FormBook	Browse	212.91.26.153
	HBL - Invoice PIOP94893KM.scr.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	I2456087542378TL.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	REF-ALYAV-QINHP5-TIS-L202299 - (AL DHAFRA) SUPPLY.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	n8l3NmC5EH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	DbAAqJQFmx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	OW1i3n5K3s.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.13.205
	SecuriteInfo.com.Program.Unwanted.5412.9015.527.exe	Get hash	malicious	PureLog Stealer	Browse	104.26.13.205
	XFo9jVGyLQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	44zFWmsOGn.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	UqdykLLTA2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	GBYfjUz4a5.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.13.205
	HCoITD94bW.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SecuriteInfo.com.Program.Unwanted.5412.9015.527.exe	Get hash	malicious	PureLog Stealer	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\x4l3iVpFSc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3137440
Entropy (8bit):	7.2237258987749255
Encrypted:	false
SSDEEP:	49152:zATFMrTscHkZT/UwBgILLUjxZzw1i2yACuAjENraI:cJM3spwwBfUj3z4i8CufNr
MD5:	F34B45032D884D86F62B2A0331A1C9DE
SHA1:	48B550D96098933548A7787F4B8E96DE25FC1BBA
SHA-256:	184A555EB9E981564E4DD08321F466D1F643C6082D309A2ACF6EDE5ADD96C7CC
SHA-512:	6BD00F7DC4DA45AC35A10A5568DD6125C2AF3CBBE9833A384B35034C4F2F99B383C3034A684155CDDC58D28DFCDCCECE60ACE5900D46D6B050122919EEC5CEB1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Virustotal, Detection: 64%, Browse Antivirus: ReversingLabs, Detection: 61%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g...........................n".. ...@...@.. ....................... 0...........`................................. ".K....@............../..)....0...................................................... ............... ..H............text...t... ..................... ..`.rsrc.......@....................@..@.reloc........0......./.............@..B................P".....H.......\...lp...........E..R.%.............................................(......0.......... ........8........E....I...........Z.......{...........2...q...........8D.....r...p(...... ....~....{....:....& ....8.......(....9.... ....8......9E... ....8q......(....:.... ....8Z...8p... ....~....{....:A...& ....86.... ....~....{:...9!...& ....8....8.... ....~....{....:....& ....8....... ....8....*.(...... ....~....{....:....& ....8........E........8.....$...& ....~....{....9...

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\x4l3iVpFSc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.2237258987749255
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	x4l3iVpFSc.exe
File size:	3'137'440 bytes
MD5:	f34b45032d884d86f62b2a0331a1c9de
SHA1:	48b550d96098933548a7787f4b8e96de25fc1bba
SHA256:	184a555eb9e981564e4dd08321f466d1f643c6082d309a2acf6ede5add96c7cc
SHA512:	6bd00f7dc4da45ac35a10a5568dd6125c2af3cbbe9833a384b35034c4f2f99b383c3034a684155cddc58d28dfcdccece60ace5900d46d6b050122919eec5ceb1
SSDEEP:	49152:zATFMrTscHkZT/UwBgILLUjxZzw1i2yACuAjENraI:cJM3spwwBfUj3z4i8CufNr
TLSH:	F1E5F10AB68ACF91C64F137AD8938AF846ABED00ED06D3CB31C93F6A36B37555941147
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........................n".. ...@*...@.. ....................... 0...........`................................

File Icon


Icon Hash:	2d525272484c550b

Static PE Info

General

Entrypoint:	0x6a226e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67A9E384 [Mon Feb 10 11:31:16 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	03/11/2023 01:00:00 05/11/2025 00:59:59
Subject Chain	CN=Adobe Inc., OU=Acrobat DC, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	464C015DAA50884AB4DD5502E6B164B0
Thumbprint SHA-1:	96B7B1EF175BBA4BDE33A05402134289B28B5BCB
Thumbprint SHA-256:	ABC429325881B54BEC561B7B5A635E0E0AC9C94742F1324EBE5EB9AF6AE0CCC5
Serial:	0D1A340F78D7D000E089FDBAAD6522DF

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a2220	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a4000	0x5adc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2fb600	0x29a0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x300000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2a0274	0x2a0400	a402c069cc1998ea55b02106b2985ff9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2a4000	0x5adc8	0x5ae00	fc443a3483fad2793d8c09f14cc4bf71	False	0.034823117262723524	data	2.4041222815062024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x300000	0xc	0x200	9675be37979c54edd87c50dad4170385	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "*"	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x2a4220	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 11811 x 11811 px/m	0.022916235168801966
RT_ICON	0x2e6248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m	0.04400804448124926
RT_ICON	0x2f6a70	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m	0.07853094000944733
RT_ICON	0x2fac98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m	0.10020746887966805
RT_ICON	0x2fd240	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m	0.14329268292682926
RT_ICON	0x2fe2e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m	0.20035460992907803
RT_GROUP_ICON	0x2fe750	0x5a	data	0.7666666666666667
RT_VERSION	0x2fe7ac	0x42e	data	0.40373831775700936
RT_MANIFEST	0x2febdc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	Adobe Acrobat
CompanyName	Adobe Systems Incorporated
FileDescription	Adobe Acrobat
FileVersion	24.5.20320.0
InternalName	Lnhyowpy.exe
LegalCopyright	Copyright 1984-2024 Adobe Systems Incorporated and its licensors. All rights reserved.
LegalTrademarks
OriginalFilename	Lnhyowpy.exe
ProductName	Adobe Acrobat
ProductVersion	24.5.20320.0
Assembly Version	24.5.20320.0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 23:37:34.189991951 CET	49687	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:37:34.190025091 CET	443	49687	104.26.13.205	192.168.2.10
Mar 7, 2025 23:37:34.190093040 CET	49687	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:37:34.195751905 CET	49687	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:37:34.195765018 CET	443	49687	104.26.13.205	192.168.2.10
Mar 7, 2025 23:37:35.982525110 CET	443	49687	104.26.13.205	192.168.2.10
Mar 7, 2025 23:37:35.982661009 CET	49687	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:37:35.986433029 CET	49687	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:37:35.986443996 CET	443	49687	104.26.13.205	192.168.2.10
Mar 7, 2025 23:37:35.986680984 CET	443	49687	104.26.13.205	192.168.2.10
Mar 7, 2025 23:37:36.037422895 CET	49687	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:37:36.080328941 CET	443	49687	104.26.13.205	192.168.2.10
Mar 7, 2025 23:37:36.466712952 CET	443	49687	104.26.13.205	192.168.2.10
Mar 7, 2025 23:37:36.490196943 CET	443	49687	104.26.13.205	192.168.2.10
Mar 7, 2025 23:37:36.490345001 CET	49687	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:37:36.496016979 CET	49687	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:37:37.199187040 CET	49688	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:37:37.204251051 CET	21	49688	213.189.52.181	192.168.2.10
Mar 7, 2025 23:37:37.204440117 CET	49688	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:37:37.802586079 CET	21	49688	213.189.52.181	192.168.2.10
Mar 7, 2025 23:37:37.802874088 CET	49688	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:37:37.807926893 CET	21	49688	213.189.52.181	192.168.2.10
Mar 7, 2025 23:37:37.995435953 CET	21	49688	213.189.52.181	192.168.2.10
Mar 7, 2025 23:37:37.995651960 CET	49688	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:37:38.000670910 CET	21	49688	213.189.52.181	192.168.2.10
Mar 7, 2025 23:37:41.742722034 CET	21	49688	213.189.52.181	192.168.2.10
Mar 7, 2025 23:37:41.790992975 CET	49688	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:37:41.826566935 CET	49688	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:37:41.832070112 CET	21	49688	213.189.52.181	192.168.2.10
Mar 7, 2025 23:37:41.832130909 CET	49688	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:17.322293043 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:17.322350979 CET	443	49691	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:17.322447062 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:17.326107979 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:17.326127052 CET	443	49691	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:19.090944052 CET	443	49691	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:19.091026068 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:19.094892979 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:19.094906092 CET	443	49691	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:19.095235109 CET	443	49691	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:19.134984016 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:19.149498940 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:19.196335077 CET	443	49691	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:19.558576107 CET	443	49691	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:19.587529898 CET	443	49691	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:19.588138103 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:19.593656063 CET	49691	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:20.092535019 CET	49692	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:20.097727060 CET	21	49692	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:20.097867966 CET	49692	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:20.694922924 CET	21	49692	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:20.695208073 CET	49692	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:20.700190067 CET	21	49692	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:20.891527891 CET	21	49692	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:20.891676903 CET	49692	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:20.896708965 CET	21	49692	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:26.114947081 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:26.114991903 CET	443	49693	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:26.115053892 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:26.118654966 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:26.118663073 CET	443	49693	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:26.165648937 CET	21	49692	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:26.213164091 CET	49692	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:27.801697969 CET	49692	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:27.882249117 CET	443	49693	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:27.882390022 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:27.884215117 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:27.884228945 CET	443	49693	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:27.884494066 CET	443	49693	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:27.931947947 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:27.943239927 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:27.988326073 CET	443	49693	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:28.493695021 CET	443	49693	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:28.512425900 CET	443	49693	104.26.13.205	192.168.2.10
Mar 7, 2025 23:38:28.516844988 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:28.519275904 CET	49693	443	192.168.2.10	104.26.13.205
Mar 7, 2025 23:38:29.031874895 CET	49694	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:29.037106991 CET	21	49694	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:29.041124105 CET	49694	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:29.645944118 CET	21	49694	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:29.646142006 CET	49694	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:29.651300907 CET	21	49694	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:29.839858055 CET	21	49694	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:29.840059042 CET	49694	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:29.845108986 CET	21	49694	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:34.306725025 CET	21	49694	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:34.353852034 CET	49694	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:34.383882046 CET	49694	21	192.168.2.10	213.189.52.181
Mar 7, 2025 23:38:34.389307976 CET	21	49694	213.189.52.181	192.168.2.10
Mar 7, 2025 23:38:34.389384985 CET	49694	21	192.168.2.10	213.189.52.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 23:37:34.172693014 CET	62412	53	192.168.2.10	1.1.1.1
Mar 7, 2025 23:37:34.179807901 CET	53	62412	1.1.1.1	192.168.2.10
Mar 7, 2025 23:37:37.189496994 CET	53872	53	192.168.2.10	1.1.1.1
Mar 7, 2025 23:37:37.198640108 CET	53	53872	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 23:37:34.172693014 CET	192.168.2.10	1.1.1.1	0xab21	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:37:37.189496994 CET	192.168.2.10	1.1.1.1	0x3c9f	Standard query (0)	s4.serv00.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 23:37:34.179807901 CET	1.1.1.1	192.168.2.10	0xab21	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:37:34.179807901 CET	1.1.1.1	192.168.2.10	0xab21	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:37:34.179807901 CET	1.1.1.1	192.168.2.10	0xab21	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Mar 7, 2025 23:37:37.198640108 CET	1.1.1.1	192.168.2.10	0x3c9f	No error (0)	s4.serv00.com	213.189.52.181	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49687	104.26.13.205	443	7508	C:\Users\user\Desktop\x4l3iVpFSc.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:37:36 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-03-07 22:37:36 UTC	427	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:37:36 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 91cd940d9882fc33-IAD server-timing: cfL4;desc="?proto=TCP&rtt=30993&min_rtt=23315&rtt_var=13450&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=769&delivery_rate=124185&cwnd=238&unsent_bytes=0&cid=ff9c947d596c3089&ts=626&x=0"
2025-03-07 22:37:36 UTC	13	IN	Data Raw: 32 34 2e 33 38 2e 32 35 33 2e 31 39 31 Data Ascii: 24.38.253.191

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49691	104.26.13.205	443	7992	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:38:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-03-07 22:38:19 UTC	426	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:38:19 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 91cd951b08e443bc-EWR server-timing: cfL4;desc="?proto=TCP&rtt=18813&min_rtt=17841&rtt_var=6704&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=769&delivery_rate=131672&cwnd=251&unsent_bytes=0&cid=49c34dc00cc58184&ts=640&x=0"
2025-03-07 22:38:19 UTC	13	IN	Data Raw: 32 34 2e 33 38 2e 32 35 33 2e 31 39 31 Data Ascii: 24.38.253.191

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49693	104.26.13.205	443	8148	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:38:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-03-07 22:38:28 UTC	425	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 22:38:28 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 91cd9552b9b2056c-IAD server-timing: cfL4;desc="?proto=TCP&rtt=28523&min_rtt=25481&rtt_var=9117&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=96353&cwnd=250&unsent_bytes=0&cid=0eda0ac7457aba4f&ts=760&x=0"
2025-03-07 22:38:28 UTC	13	IN	Data Raw: 32 34 2e 33 38 2e 32 35 33 2e 31 39 31 Data Ascii: 24.38.253.191

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Mar 7, 2025 23:37:37.802586079 CET	21	49688	213.189.52.181	192.168.2.10	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:37. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:37. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:37. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Mar 7, 2025 23:37:37.802874088 CET	49688	21	192.168.2.10	213.189.52.181	USER f2241_dod
Mar 7, 2025 23:37:37.995435953 CET	21	49688	213.189.52.181	192.168.2.10	331 User f2241_dod OK. Password required
Mar 7, 2025 23:37:37.995651960 CET	49688	21	192.168.2.10	213.189.52.181	PASS Doll900@@
Mar 7, 2025 23:37:41.742722034 CET	21	49688	213.189.52.181	192.168.2.10	530 Login authentication failed
Mar 7, 2025 23:38:20.694922924 CET	21	49692	213.189.52.181	192.168.2.10	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:38. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:38. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:38. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Mar 7, 2025 23:38:20.695208073 CET	49692	21	192.168.2.10	213.189.52.181	USER f2241_dod
Mar 7, 2025 23:38:20.891527891 CET	21	49692	213.189.52.181	192.168.2.10	331 User f2241_dod OK. Password required
Mar 7, 2025 23:38:20.891676903 CET	49692	21	192.168.2.10	213.189.52.181	PASS Doll900@@
Mar 7, 2025 23:38:26.165648937 CET	21	49692	213.189.52.181	192.168.2.10	530 Login authentication failed
Mar 7, 2025 23:38:29.645944118 CET	21	49694	213.189.52.181	192.168.2.10	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:38. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:38. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 23:38. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Mar 7, 2025 23:38:29.646142006 CET	49694	21	192.168.2.10	213.189.52.181	USER f2241_dod
Mar 7, 2025 23:38:29.839858055 CET	21	49694	213.189.52.181	192.168.2.10	331 User f2241_dod OK. Password required
Mar 7, 2025 23:38:29.840059042 CET	49694	21	192.168.2.10	213.189.52.181	PASS Doll900@@
Mar 7, 2025 23:38:34.306725025 CET	21	49694	213.189.52.181	192.168.2.10	530 Login authentication failed

Target ID:	0
Start time:	17:37:04
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\x4l3iVpFSc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x4l3iVpFSc.exe"
Imagebase:	0x340000
File size:	3'137'440 bytes
MD5 hash:	F34B45032D884D86F62B2A0331A1C9DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1476195329.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1460625473.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:37:33
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\x4l3iVpFSc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x4l3iVpFSc.exe"
Imagebase:	0xd50000
File size:	3'137'440 bytes
MD5 hash:	F34B45032D884D86F62B2A0331A1C9DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2440123825.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2440123825.0000000003357000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2440123825.0000000003357000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2440123825.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	17:37:46
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x310000
File size:	3'137'440 bytes
MD5 hash:	F34B45032D884D86F62B2A0331A1C9DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1893124137.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 64%, Virustotal, Browse Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:37:55
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x870000
File size:	3'137'440 bytes
MD5 hash:	F34B45032D884D86F62B2A0331A1C9DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.1982245399.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:38:16
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x3e0000
File size:	3'137'440 bytes
MD5 hash:	F34B45032D884D86F62B2A0331A1C9DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1985241633.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1985241633.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1985241633.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1985241633.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:38:25
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x960000
File size:	3'137'440 bytes
MD5 hash:	F34B45032D884D86F62B2A0331A1C9DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2441073998.0000000003017000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2441073998.0000000003017000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2441073998.000000000304A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x4l3iVpFSc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
x4l3iVpFSc.exe