Edit tour

Windows Analysis Report
ACHAT DE 2 IMMEUBLES.pdf

Overview

General Information

Sample name:	ACHAT DE 2 IMMEUBLES.pdf
Analysis ID:	1554550
MD5:	208e977d2a735133acb0bd4e347deea5
SHA1:	997034e9e36d11984cdf4b5b0dfcd8dc50c61a23
SHA256:	890bbf43f2c9244ffdb71a12beab0a7db68be4d8e897a0197a32dc8d1172dd41
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

Changes security center settings (notifications, updates, antivirus, firewall)

Loading BitLocker PowerShell Module

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

Acrobat.exe (PID: 6348 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\ACHAT DE 2 IMMEUBLES.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7044 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 6148 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1728 --field-trial-handle=1572,i,16750144883042128142,8722937577736343165,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 7500 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7756 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,11466266959600269699,13698241653752948834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 --field-trial-handle=1980,i,11466266959600269699,13698241653752948834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe (PID: 5404 cmdline: "C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe" MD5: 043ABB0F947E2219446A8FBC8E37049B)

svchost.exe (PID: 6916 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5868 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 5492 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6268 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2900 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 6220 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7300 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

powershell.exe (PID: 3916 cmdline: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3652 cmdline: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service Command' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fleetdeck_agent_svc.exe (PID: 2672 cmdline: "C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe" MD5: 0915F113042460AD625950FF06CAB044)

cleanup

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow", CommandLine: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1176, ProcessCommandLine: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow", ProcessId: 3916, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6916, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T16:49:34.068040+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.16	49707	TCP
2024-11-12T16:50:11.925602+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.16	59359	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe

File created: C:\Users\user\AppData\Local\Temp\FleetDeck\FleetDeck Agent Installer.log

Jump to behavior

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:59359 version: TLS 1.2

Source:

Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr

Source: global traffic	TCP traffic: 192.168.2.16:59362 -> 1.1.1.1:853
Source: global traffic	TCP traffic: 192.168.2.16:59376 -> 8.8.8.8:853
Source: global traffic	TCP traffic: 192.168.2.16:59391 -> 9.9.9.9:853

Source: global traffic

TCP traffic: 192.168.2.16:59357 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 18.173.205.127 18.173.205.127
Source: Joe Sandbox View	IP Address: 9.9.9.9 9.9.9.9
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.16:49707
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.16:59359

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.127
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FWbpFe63sLSlRyu&MD=XACCHnmc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /AkKkGEnzwtzPvTHp9XURrp?win HTTP/1.1Host: agent.fleetdeck.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe HTTP/1.1Host: agentinstall.fleetdeck.ioConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FWbpFe63sLSlRyu&MD=XACCHnmc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: agentinstall.fleetdeck.io
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: agentupdate.fleetdeck.io

Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r1.crl
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/wr2/oQ6nyr8F0m0.crl
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/wr2/oQ6nyr8F0m0.crl0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F76000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DC0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt0
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011CD2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E90000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crt0
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F92000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F92000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crthttp://crl3.digicert.com/DigiCertGlobalRootG2.cr
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011CD2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crthttp://crl3.digicert.com/DigiCertGlobalRootG3.cr
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000014.00000002.1573627869.000001B5447B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1773346754.000001E2E08DF000.00000004.00000020.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 00000002.00000002.2124834771.0000029D3F902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 00000002.00000002.2118362297.0000029D3F80D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F76000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DC0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0H
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crlhttp://crl4.digicert.com/DigiCertG
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011CD2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E90000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl0H
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F92000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DD0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011CD2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0=
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F76000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DC0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011CD2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E90000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crl0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000002.00000002.2124834771.0000029D3F902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000002.00000002.2114342797.0000029D3A2A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2120901003.0000029D3F85D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1921190658.0000029D3F652000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2116548862.0000029D3AB02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2124834771.0000029D3F8E2000.00000004.00000020.00020000.00000000.sdmp, edb.log.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000002.00000002.2124834771.0000029D3F902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/n.ie1&0
Source: svchost.exe, 00000002.00000002.2122627012.0000029D3F896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80IO:ID:
Source: qmgr.db.2.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r1.crt0
Source: fleetdeck_agent_svc.exe, 00000019.00000003.2072693436.00000000120F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r1.crtGlobalSign
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/wr2.crt
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/wr2.crt0
Source: powershell.exe, 00000014.00000002.1566127656.000001B53C70B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000003.2072693436.00000000120F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/wr2
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/wr20%
Source: fleetdeck_agent_svc.exe, 00000019.00000003.2072693436.00000000120F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/wr2Google
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011CD2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011CD2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DC0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E90000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0Q
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comDigiCert
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FF2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr1
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FF2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr1http://pki.goog/gsr1/gsr1.crt
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://ocsp.sectigo.com0G
Source: powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FF2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: powershell.exe, 00000014.00000002.1527175907.000001B52C84A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000014.00000002.1527175907.000001B52C691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1647091230.000001E2C8891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.1527175907.000001B52C84A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: http://wixtoolset.org
Source: powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000005.00000002.1367854740.000001A430213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011CD2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DC0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E90000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011E85000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000014.00000002.1577475862.000001B544B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: 2D85F72862B55C4EADD9E66E06947F3D0.3.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: ACHAT DE 2 IMMEUBLES.pdf	String found in binary or memory: https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win)
Source: FleetDeck Agent Service.log.25.dr	String found in binary or memory: https://agentupdate.fleetdeck.io/latest.json
Source: fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F76000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://agentupdate.fleetdeck.io/latest.jsonGet
Source: powershell.exe, 00000014.00000002.1527175907.000001B52C691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1647091230.000001E2C8891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1775827576.000001E2E0C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: 3fcfad2f-1955-4c6e-9738-9bd72cdb9587.tmp.4.dr, 64cfd53e-e575-463b-84c2-00137460116d.tmp.4.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000003.1367343416.000001A43025A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1368068715.000001A430272000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367135253.000001A43026E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000003.1367202905.000001A430267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1367090186.000001A430274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1367343416.000001A43025A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367974191.000001A43023F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000003.1367202905.000001A430267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367914005.000001A43022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000002.1368047251.000001A430265000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000002.1367974191.000001A43023F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.1367070785.000001A430233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000002.1367974191.000001A43023F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367291917.000001A43025E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367413574.000001A430230000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367974191.000001A43023F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000003.1367202905.000001A430267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367914005.000001A43022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000002.00000003.1202996533.0000029D3F6B2000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.1776057303.000001E2E14F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000014.00000002.1566127656.000001B53C70B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367998473.000001A430249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367998473.000001A430249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367311180.000001A43025D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000002.1367914005.000001A43022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 59435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59361 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59435
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59434
Source: unknown	Network traffic detected: HTTP traffic on port 59422 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59392
Source: unknown	Network traffic detected: HTTP traffic on port 59403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59390
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59405 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59437
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59359
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59436
Source: unknown	Network traffic detected: HTTP traffic on port 59373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59402
Source: unknown	Network traffic detected: HTTP traffic on port 59423 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59361
Source: unknown	Network traffic detected: HTTP traffic on port 59437 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59409
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59404
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59403
Source: unknown	Network traffic detected: HTTP traffic on port 59372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59405
Source: unknown	Network traffic detected: HTTP traffic on port 59420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59374
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59375
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59372
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59375 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59389
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59422
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59388
Source: unknown	Network traffic detected: HTTP traffic on port 59421 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59421
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59423
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59387
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59389 -> 443

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:59359 version: TLS 1.2

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_eascx3qe.lg4.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC68239E3		20_2_00007FFEC68239E3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC69551E0		20_2_00007FFEC69551E0

Source: 40c916d1-c184-48d5-8142-44640afd265f.tmp.13.dr

Static PE information: No import functions for PE file found

Source: 40c916d1-c184-48d5-8142-44640afd265f.tmp.13.dr

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: mal52.evad.winPDF@48/75@7/21

Source: ACHAT DE 2 IMMEUBLES.pdf	Initial sample: https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win
Source: ACHAT DE 2 IMMEUBLES.pdf	Initial sample: https://agent.fleetdeck.io/akkkgenzwtzpvthp9xurrp?win

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4780:120:WilError_03

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-11-12 10-49-26-603.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\ACHAT DE 2 IMMEUBLES.pdf"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1728 --field-trial-handle=1572,i,16750144883042128142,8722937577736343165,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,11466266959600269699,13698241653752948834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 --field-trial-handle=1980,i,11466266959600269699,13698241653752948834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe "C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service Command' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe "C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1728 --field-trial-handle=1572,i,16750144883042128142,8722937577736343165,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,11466266959600269699,13698241653752948834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 --field-trial-handle=1980,i,11466266959600269699,13698241653752948834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe "C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe"	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56ad4c5d-b908-4f85-8ff1-7940c29b3bcf}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Source: ACHAT DE 2 IMMEUBLES.pdf	Initial sample: PDF keyword /JS count = 0
Source: ACHAT DE 2 IMMEUBLES.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: ACHAT DE 2 IMMEUBLES.pdf

Initial sample: PDF keyword /Page count = 11

Source: ACHAT DE 2 IMMEUBLES.pdf

Initial sample: PDF keyword stream count = 42

Source: ACHAT DE 2 IMMEUBLES.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: ACHAT DE 2 IMMEUBLES.pdf

Initial sample: PDF keyword obj count = 132

Source: 40c916d1-c184-48d5-8142-44640afd265f.tmp.13.dr

Static PE information: real checksum: 0x3e7da7 should be: 0x5ea2

Source: 40c916d1-c184-48d5-8142-44640afd265f.tmp.13.dr	Static PE information: section name: .symtab
Source: Unconfirmed 543027.crdownload.13.dr	Static PE information: section name: .symtab
Source: chromecache_200.14.dr	Static PE information: section name: .symtab

Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Code function: 17_2_11C303C0 push es; ret	17_2_11C3053E
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Code function: 17_2_11C30996 push es; ret	17_2_11C309BA
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Code function: 17_2_11C2FF1F push es; ret	17_2_11C2FF22
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Code function: 17_2_11C305FC push es; ret	17_2_11C30776
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Code function: 17_2_361BFC70 push cs; retf	17_2_361BFC71
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Code function: 17_2_362FFACC push cs; retf	17_2_362FFACD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC65946D6 push 8B48FFEEh; iretd	20_2_00007FFEC65946DC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC6823348 push FFFFFFD2h; ret	20_2_00007FFEC682334C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC6821BAB push esp; iretd	20_2_00007FFEC6821BAC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC68268EC pushfd ; ret	20_2_00007FFEC68268F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC6823534 pushad ; retf	20_2_00007FFEC6823535
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC6821A11 push ecx; ret	20_2_00007FFEC6821A12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC6820A00 push esp; retf	20_2_00007FFEC6820A01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC6951445 push cs; iretd	20_2_00007FFEC695144F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFEC6CA3CD6 push ebx; retf	20_2_00007FFEC6CA3CEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFEC64239B1 push ecx; iretd	22_2_00007FFEC64239B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFEC69348FC pushad ; iretd	22_2_00007FFEC69348FD
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Code function: 25_2_00A5F6AC push eax; rep ret	25_2_00A5F6AD
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Code function: 25_2_00A5FE04 pushad ; ret	25_2_00A5FE05
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Code function: 25_2_00A5FD9C push 8011C3F0h; ret	25_2_00A5FDA1
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Code function: 25_2_00A5FD98 push eax; ret	25_2_00A5FD99
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Code function: 25_2_11C2DF20 push ebx; ret	25_2_11C2DF39

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: PDF document	LLM: Page contains button: 'Download' Source: 'PDF document'
Source: PDF document	LLM: PDF document contains prominent button: 'download'

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe (copy)	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 543027.crdownload	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\40c916d1-c184-48d5-8142-44640afd265f.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 200	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 200
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 200			Jump to dropped file

Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe

File created: C:\Users\user\AppData\Local\Temp\FleetDeck\FleetDeck Agent Installer.log

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8637	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1226	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2219
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7502

Source: C:\Windows\System32\svchost.exe TID: 6888	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1956	Thread sleep count: 8637 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1956	Thread sleep count: 1226 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2060	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1788	Thread sleep count: 2219 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1788	Thread sleep count: 7502 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 20_2_00007FFEC61F2C30 GetSystemInfo,

20_2_00007FFEC61F2C30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: svchost.exe, 00000007.00000002.2105031087.0000022969A24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000007.00000002.2109059970.0000022969A81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000007.00000002.2106815396.0000022969A52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000esi
Source: svchost.exe, 00000007.00000002.2106815396.0000022969A52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
Source: svchost.exe, 00000002.00000002.2120379064.0000029D3F853000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2111037670.0000029D3A22B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.2102673444.0000022969A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000007.00000002.2110745399.0000022969B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1847394620.000000000132E000.00000004.00000020.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -command "new-netfirewallrule -displayname 'fleetdeck agent service' -name 'fleetdeck agent service' -direction inbound -program 'c:\program files (x86)\fleetdeck agent\fleetdeck_agent_svc.exe' -action allow"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -command "new-netfirewallrule -displayname 'fleetdeck agent service' -name 'fleetdeck agent service command' -direction inbound -program 'c:\program files (x86)\fleetdeck agent\fleetdeck_agent_svc.exe' -action allow"

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	Queries volume information: C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000008.00000002.2111451652.000002261F902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.2111451652.000002261F902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	1 Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	21 Masquerading	OS Credential Dumping	41 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\Downloads\Unconfirmed 543027.crdownload	8%	ReversingLabs
C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe (copy)	8%	ReversingLabs
Chrome Cache Entry: 200	8%	ReversingLabs

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0G	0%	Avira URL Cloud	safe
https://agentupdate.fleetdeck.io/latest.json	0%	Avira URL Cloud	safe
https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win)	0%	Avira URL Cloud	safe
https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win	0%	Avira URL Cloud	safe
https://agentinstall.fleetdeck.io/fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	0%	Avira URL Cloud	safe
https://agentupdate.fleetdeck.io/latest.jsonGet	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
agentinstall.fleetdeck.io	18.66.112.116	true	false	unknown
agentupdate.fleetdeck.io	18.239.18.47	true	false	unknown
www.google.com	142.250.186.164	true	false	high
x1.i.lencr.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win	false	Avira URL Cloud: safe	unknown
https://agentinstall.fleetdeck.io/fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pki.goog/gsr1/gsr1.crt	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FF2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.pki.goog/gsr1/gsr1.crl0;	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	false		high
http://i.pki.goog/r1.crtGlobalSign	fleetdeck_agent_svc.exe, 00000019.00000003.2072693436.00000000120F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	false		high
http://ocsp.sectigo.com0	fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000005.00000003.1367202905.000001A430267000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.microsoft.co	powershell.exe, 00000016.00000002.1776057303.000001E2E14F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.pki.goog/gsr1/gsr1.crl	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FEC000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	false		high
https://contoso.com/License	powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/r1.crl	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	false		high
http://o.pki.goog/wr2Google	fleetdeck_agent_svc.exe, 00000019.00000003.2072693436.00000000120F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000003.1367343416.000001A43025A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1368068715.000001A430272000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367135253.000001A43026E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000005.00000002.1367914005.000001A43022B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://o.pki.goog/wr20%	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000005.00000002.1367974191.000001A43023F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wixtoolset.org	fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	false		high
http://crl.microso	svchost.exe, 00000002.00000002.2124834771.0000029D3F902000.00000004.00000020.00020000.00000000.sdmp	false		high
http://o.pki.goog/wr2	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000003.2072693436.00000000120F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/r1.crl0	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000014.00000002.1566127656.000001B53C70B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000014.00000002.1527175907.000001B52C691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1647091230.000001E2C8891000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000005.00000002.1367854740.000001A430213000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000003.1367343416.000001A43025A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367974191.000001A43023F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000003.1367202905.000001A430267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367914005.000001A43022B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win)	ACHAT DE 2 IMMEUBLES.pdf	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.cloudflare-dns.com	3fcfad2f-1955-4c6e-9738-9bd72cdb9587.tmp.4.dr, 64cfd53e-e575-463b-84c2-00137460116d.tmp.4.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000014.00000002.1566127656.000001B53C70B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.3.dr	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1775827576.000001E2E0C16000.00000004.00000020.00020000.00000000.sdmp	false		high
http://c.pki.goog/wr2/oQ6nyr8F0m0.crl	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FEC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000005.00000003.1367311180.000001A43025D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000014.00000002.1527175907.000001B52C84A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000005.00000003.1367090186.000001A430274000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000005.00000003.1367202905.000001A430267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367914005.000001A43022B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000005.00000002.1368047251.000001A430265000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp	false		high
http://i.pki.goog/r1.crt0	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000016.00000002.1758133648.000001E2D8909000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367998473.000001A430249000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1367291917.000001A43025E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000002.00000002.2118362297.0000029D3F80D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp	false		high
https://agentupdate.fleetdeck.io/latest.jsonGet	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F76000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.	powershell.exe, 00000014.00000002.1577475862.000001B544B51000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pki.goog/gsr1/gsr1.crt02	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011DB2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	false		high
https://agentupdate.fleetdeck.io/latest.json	FleetDeck Agent Service.log.25.dr	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367998473.000001A430249000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000005.00000003.1367375799.000001A430243000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	false		high
http://i.pki.goog/wr2.crt0	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000002.1367974191.000001A43023F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 00000005.00000003.1367413574.000001A430230000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1367974191.000001A43023F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod-C:	qmgr.db.2.dr	false		high
http://i.pki.goog/wr2.crt	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011C82000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FA4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000014.00000002.1527175907.000001B52C84A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1647091230.000001E2C8A53000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2-C:	svchost.exe, 00000002.00000003.1202996533.0000029D3F6B2000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
http://c.pki.goog/wr2/oQ6nyr8F0m0.crl0	fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011F8C000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FDE000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FB6000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2116710774.0000000011FE2000.00000004.00001000.00020000.00000000.sdmp, fleetdeck_agent_svc.exe, 00000019.00000002.2108575127.0000000001148000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000014.00000002.1527175907.000001B52C691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1647091230.000001E2C8891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000005.00000003.1367224029.000001A430262000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0G	fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.00000000120D0000.00000004.00001000.00020000.00000000.sdmp, fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, 00000011.00000002.1852034867.0000000011E62000.00000004.00001000.00020000.00000000.sdmp, Unconfirmed 543027.crdownload.13.dr, 3566946875.msi.17.dr, chromecache_200.14.dr	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000005.00000003.1367394368.000001A430257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000003.1367070785.000001A430233000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.66.112.116	agentinstall.fleetdeck.io	United States	3	MIT-GATEWAYSUS	false
99.86.102.129	unknown	United States	16509	AMAZON-02US	false
99.86.102.13	unknown	United States	16509	AMAZON-02US	false
18.154.219.78	unknown	United States	16509	AMAZON-02US	false
18.239.18.47	agentupdate.fleetdeck.io	United States	16509	AMAZON-02US	false
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
18.173.205.127	unknown	United States	3	MIT-GATEWAYSUS	false
18.155.173.66	unknown	United States	16509	AMAZON-02US	false
9.9.9.9	unknown	United States	19281	QUAD9-AS-1US	false
99.86.102.89	unknown	United States	16509	AMAZON-02US	false
18.154.219.68	unknown	United States	16509	AMAZON-02US	false
18.154.219.118	unknown	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false
18.155.173.111	unknown	United States	16509	AMAZON-02US	false
18.155.173.31	unknown	United States	16509	AMAZON-02US	false
18.154.219.19	unknown	United States	16509	AMAZON-02US	false
99.86.102.19	unknown	United States	16509	AMAZON-02US	false
18.155.173.98	unknown	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.16
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554550
Start date and time:	2024-11-12 16:48:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ACHAT DE 2 IMMEUBLES.pdf
Detection:	MAL
Classification:	mal52.evad.winPDF@48/75@7/21
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .pdf

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 184.28.88.176, 184.28.90.27, 52.202.204.11, 23.22.254.206, 52.5.13.197, 54.227.187.23, 162.159.61.3, 172.64.41.3, 172.217.16.131, 142.250.186.142, 74.125.71.84, 34.104.35.123, 2.19.245.44, 88.221.168.141, 2.19.126.149, 2.19.126.143, 23.32.188.153, 95.101.148.135, 142.250.185.227
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, dns.msftncsi.com, clients2.google.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, update.googleapis.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, accounts.google.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, agent.fleetdeck.io, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, edgedl.me.gvt1.com, armmf.adobe.com, clients.l.google.com, geo2.adobe.com
Execution Graph export aborted for target fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe, PID 5404 because there are no executed function
Execution Graph export aborted for target fleetdeck_agent_svc.exe, PID 2672 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ACHAT DE 2 IMMEUBLES.pdf

Simulations

Behavior and APIs

Time	Type	Description
10:49:23	API Interceptor	2x Sleep call for process: svchost.exe modified
10:49:37	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
10:49:52	API Interceptor	58x Sleep call for process: powershell.exe modified
10:50:30	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

LLM Input / Output

Input	Output
URL: PDF document Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Tlchargez le module Fleetdeck", "prominent_button_name": "Download", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false }

URL: PDF document Model: claude-3-haiku-20240307	```json { "brands": [ "Adobe" ] }
	```json { "brands": [ "Adobe" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
9.9.9.9	allpdfpro.msi	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, XWorm	Browse
	http://assets.website-files.com/65e885e17261602dcdc10dce/663166d899226eaa1af23d4b_kilexi.pdf	Get hash	malicious	Unknown	Browse
	All-in-one Calculation Tool.xlsm	Get hash	malicious	Unknown	Browse
	https://agent.fleetdeck.io/RJhGzP5jyL7Wdj5mXz3b8B?win	Get hash	malicious	Unknown	Browse
	https://agentinstall.fleetdeck.io/fleetdeck-agent-WP1buGiXuuz5gPKfbD5LmX.exe	Get hash	malicious	Unknown	Browse
	AFFAIRE JUDICIAIRE MAILLARD.pdf	Get hash	malicious	Unknown	Browse
18.66.112.116	L1ld - Linkvertise Downloader_PE2-ku1.exe	Get hash	malicious	Unknown	Browse
239.255.255.250	https://t.ly/X0-7Q	Get hash	malicious	Unknown	Browse
	https://www.google.com/url?q=https%3A%2F%2Ftrimmer.to%2FPlfGc&sa=D&sntz=1&usg=AOvVaw1DTVuO2H6PM4yLoWCUd_D9	Get hash	malicious	HTMLPhisher	Browse
	View Pdf Doc_1c854e0875fca437af9ba7046d2f6712.htm	Get hash	malicious	Unknown	Browse
	https://t.ly/Bv1rG	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	scan3762399_arleen@wcctxlaw.com.pdf	Get hash	malicious	Unknown	Browse
	specifications and technical requirements.pdf	Get hash	malicious	HTMLPhisher	Browse
	Daan Berkers Benefits Bonus And Payroll Sign&Review yszlra.pdf	Get hash	malicious	Unknown	Browse
	https://shop.teamtti.store/security/resetpassword.aspx?token=KLO7V1DTDI8XU3KP7GIM4NQLCZKQ9IYSIZTYR9CW4L6KWAXRO9DRJEK74C56QXT4UPP4JW77EWRTQFZBC2BAFHIEPV3PEGFH2CZGV2H2BGMXW1RZN33YVTYNHKPY2S27&mode=new	Get hash	malicious	Unknown	Browse
	https://sites.google.com/worth.com/rfp/home	Get hash	malicious	Unknown	Browse
	http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion	Get hash	malicious	Unknown	Browse
18.173.205.127	https://protect-us.mimecast.com/s/18vfCQWNWqS1V8BlCPhEHGoqRR	Get hash	malicious	Unknown	Browse
	https://url.avanan.click/v2/r01/___https://www.google.com.sg/zwq?v=7WZIz&fru;why=7WZIz&fru;xf=y&fru;jxwh=7WZIz&fru;xtzwhj=&fru;hi=7WZIz&fru;zfhy=&fru;zwq=frudxdgtqiqntsfuufwjq.htrd.n___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpkZGUwNjUwMWZkNDExNDYwNzZjMDZiMzcyYTg5ZmU1NDo3OjE4NDg6ZGQ5NzQ2M2JkZmJmZTM2MDBmOTU2MjU4MWJhNWIyZDA0ODAzMGI4MzllZGM2ZjkzYmIwZjc2YWQ5ZmQ2MDFhNTpoOlQ6VA#ZWphbWVzQGVuY2luYWNhcGl0YWwuY29t	Get hash	malicious	HTMLPhisher	Browse
	http://bdvonline-personasv.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	http://bdvonline-personasv.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://f120987.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	http://secureprotocol1.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://url.avanan.click/v2/r01/___https://www.google.com.sg/zwq?v=7WZIz&why=7WZIz&xf=y&jxwh=7WZIz&xtzwhj=&hi=7WZIz&zfhy=&zwq=frudxdjAjsynslgfxj.htr.fzd.oflfd___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo5MTJhYWJjZjBjZWQ3YTE3MzliOWViMjI2OTgzNmFjODo3OmFiMTk6M2MwNmNjYzRlYzBhY2Q2MTg4MWQ5YTMxZDNlZTRiZmFmOTNhMjg1NDIzMDkzM2QyMzQ2MzYzY2Q5NzJhMDgxYTpoOlQ6VA#cnlhbkBsaW5jb2xubWFpbmVmY3UuY29t	Get hash	malicious	Unknown	Browse
	ethaertharety.ps1	Get hash	malicious	Unknown	Browse
	hJABTqngKoJnTgLh.ps1	Get hash	malicious	Unknown	Browse
	CHDLSHtWbSRCfzJMtDO.ps1	Get hash	malicious	Unknown	Browse
18.155.173.66	https://bafkreidhlacoadxbpu3r6cirnmkww3kghdzjx5xccwcixr5q4i4k6qtj64.ipfs.dweb.link/#b.kricheli@ikg-wien.at	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
agentupdate.fleetdeck.io	https://agent.fleetdeck.io/RJhGzP5jyL7Wdj5mXz3b8B?win	Get hash	malicious	Unknown	Browse	108.157.194.99
	https://agentinstall.fleetdeck.io/fleetdeck-agent-WP1buGiXuuz5gPKfbD5LmX.exe	Get hash	malicious	Unknown	Browse	18.172.112.93
	AFFAIRE JUDICIAIRE MAILLARD.pdf	Get hash	malicious	Unknown	Browse	18.172.112.93
agentinstall.fleetdeck.io	Full Litigation File.pdf	Get hash	malicious	Unknown	Browse	3.160.150.68
	https://agent.fleetdeck.io/RJhGzP5jyL7Wdj5mXz3b8B?win	Get hash	malicious	Unknown	Browse	3.160.150.68
	https://agentinstall.fleetdeck.io/fleetdeck-agent-WP1buGiXuuz5gPKfbD5LmX.exe	Get hash	malicious	Unknown	Browse	65.9.86.76
	AFFAIRE JUDICIAIRE MAILLARD.pdf	Get hash	malicious	Unknown	Browse	65.9.86.99
bg.microsoft.map.fastly.net	https://t.ly/X0-7Q	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://t.ly/Bv1rG	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	199.232.214.172
	scan3762399_arleen@wcctxlaw.com.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	specifications and technical requirements.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	Daan Berkers Benefits Bonus And Payroll Sign&Review yszlra.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://shop.teamtti.store/security/resetpassword.aspx?token=KLO7V1DTDI8XU3KP7GIM4NQLCZKQ9IYSIZTYR9CW4L6KWAXRO9DRJEK74C56QXT4UPP4JW77EWRTQFZBC2BAFHIEPV3PEGFH2CZGV2H2BGMXW1RZN33YVTYNHKPY2S27&mode=new	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://account-service.fr/PSTPNL/postal1	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	199.232.214.172
	E7X-XIZ5.eml	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://webconference.protected-forms.com/XaGFyNXNiVFNRd1VaOFBwaER2WW5KM1V1S1NLSzZZZDhjN3NKVC9oV2lCRlNRWmVpbVlYY0JzbS81VUd0czRzOHNRWWNGSndpSCtxMm15d3h6SnFIS0VpR2NHcHh2MWo5Nm1wM3lROHdlakpZdnVWYUpHZDJ2LzVyV1ljWjZuK2pHcTByTjRWRm1IRnpPSnVmUFI0TVk2dHN5L1Yxdko0Y01WeHZYck1iM2tvc3l4YVdqSlZabWl2Y0ZwLzQtLVZvU05jS1M1U0FEQjZZeHUtLUw3WXM4dkFWa2t2YTRLMXJEYTRIbGc9PQ==?cid=2270944670	Get hash	malicious	KnowBe4	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIT-GATEWAYSUS	https://shop.teamtti.store/security/resetpassword.aspx?token=KLO7V1DTDI8XU3KP7GIM4NQLCZKQ9IYSIZTYR9CW4L6KWAXRO9DRJEK74C56QXT4UPP4JW77EWRTQFZBC2BAFHIEPV3PEGFH2CZGV2H2BGMXW1RZN33YVTYNHKPY2S27&mode=new	Get hash	malicious	Unknown	Browse	18.66.122.106
	https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	18.66.102.51
	https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	18.66.102.51
	http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DkaP7_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA8HMkQB3GP7mtgLvWqf-2F2SUC5eKSSwLqPZnnofRHoc7cSU1xfupfl4il6cb3-2BSKrTYe1odI0Jq1F3XJEtoagDhZ-2B0poPJjuweCyekPO2Y39xfy8FdwLLvVUma4NgVhDhlM-3D	Get hash	malicious	Unknown	Browse	18.173.205.2
	2024101221359RemitanceAdvice..pdf	Get hash	malicious	HTMLPhisher	Browse	18.66.112.58
	https://customization-connect-7617.my.salesforce.com/sfc/p/d3000000Byor/a/d300000000RR/ML8ajzoJU6aJIvGQZGZ6S9rRHpaD1XaytKzcNGEf56g	Get hash	malicious	HTMLPhisher	Browse	18.66.112.35
	https://certify-compte.fr/CETEL	Get hash	malicious	Unknown	Browse	18.66.121.135
	https://secure_sharing0documentpreview.wesendit.com/dl/UXseZ6Oj8WT8cWxHq/bXVoYW1hZC5hZGkubXVxcmlAc2ltZWRhcmJ5LmNvbQ	Get hash	malicious	Unknown	Browse	18.66.102.51
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	18.161.170.14
	https://protect-us.mimecast.com/s/18vfCQWNWqS1V8BlCPhEHGoqRR	Get hash	malicious	Unknown	Browse	18.66.102.85
AMAZON-02US	linux_x64_agent_no_crypt.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://www.google.com/url?q=https%3A%2F%2Ftrimmer.to%2FPlfGc&sa=D&sntz=1&usg=AOvVaw1DTVuO2H6PM4yLoWCUd_D9	Get hash	malicious	HTMLPhisher	Browse	3.75.10.80
	https://t.ly/Bv1rG	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	18.245.31.5
	Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Order.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	13.225.78.35
	https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	13.225.78.35
	https://cx.surveysensum.com/d6xqqwvx	Get hash	malicious	HTMLPhisher	Browse	3.5.146.47
	http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DkaP7_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA8HMkQB3GP7mtgLvWqf-2F2SUC5eKSSwLqPZnnofRHoc7cSU1xfupfl4il6cb3-2BSKrTYe1odI0Jq1F3XJEtoagDhZ-2B0poPJjuweCyekPO2Y39xfy8FdwLLvVUma4NgVhDhlM-3D	Get hash	malicious	Unknown	Browse	13.224.189.101
	https://t.ly/SjDNX	Get hash	malicious	Python Stealer, Braodo	Browse	185.166.143.50
AMAZON-02US	linux_x64_agent_no_crypt.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://www.google.com/url?q=https%3A%2F%2Ftrimmer.to%2FPlfGc&sa=D&sntz=1&usg=AOvVaw1DTVuO2H6PM4yLoWCUd_D9	Get hash	malicious	HTMLPhisher	Browse	3.75.10.80
	https://t.ly/Bv1rG	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	18.245.31.5
	Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Order.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	13.225.78.35
	https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	13.225.78.35
	https://cx.surveysensum.com/d6xqqwvx	Get hash	malicious	HTMLPhisher	Browse	3.5.146.47
	http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DkaP7_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA8HMkQB3GP7mtgLvWqf-2F2SUC5eKSSwLqPZnnofRHoc7cSU1xfupfl4il6cb3-2BSKrTYe1odI0Jq1F3XJEtoagDhZ-2B0poPJjuweCyekPO2Y39xfy8FdwLLvVUma4NgVhDhlM-3D	Get hash	malicious	Unknown	Browse	13.224.189.101
	https://t.ly/SjDNX	Get hash	malicious	Python Stealer, Braodo	Browse	185.166.143.50
AMAZON-02US	linux_x64_agent_no_crypt.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://www.google.com/url?q=https%3A%2F%2Ftrimmer.to%2FPlfGc&sa=D&sntz=1&usg=AOvVaw1DTVuO2H6PM4yLoWCUd_D9	Get hash	malicious	HTMLPhisher	Browse	3.75.10.80
	https://t.ly/Bv1rG	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	18.245.31.5
	Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Order.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	13.225.78.35
	https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	13.225.78.35
	https://cx.surveysensum.com/d6xqqwvx	Get hash	malicious	HTMLPhisher	Browse	3.5.146.47
	http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DkaP7_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA8HMkQB3GP7mtgLvWqf-2F2SUC5eKSSwLqPZnnofRHoc7cSU1xfupfl4il6cb3-2BSKrTYe1odI0Jq1F3XJEtoagDhZ-2B0poPJjuweCyekPO2Y39xfy8FdwLLvVUma4NgVhDhlM-3D	Get hash	malicious	Unknown	Browse	13.224.189.101
	https://t.ly/SjDNX	Get hash	malicious	Python Stealer, Braodo	Browse	185.166.143.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://t.ly/X0-7Q	Get hash	malicious	Unknown	Browse	20.109.210.53 172.202.163.200
	View Pdf Doc_1c854e0875fca437af9ba7046d2f6712.htm	Get hash	malicious	Unknown	Browse	20.109.210.53 172.202.163.200
	https://t.ly/Bv1rG	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	20.109.210.53 172.202.163.200
	Daan Berkers Benefits Bonus And Payroll Sign&Review yszlra.pdf	Get hash	malicious	Unknown	Browse	20.109.210.53 172.202.163.200
	https://shop.teamtti.store/security/resetpassword.aspx?token=KLO7V1DTDI8XU3KP7GIM4NQLCZKQ9IYSIZTYR9CW4L6KWAXRO9DRJEK74C56QXT4UPP4JW77EWRTQFZBC2BAFHIEPV3PEGFH2CZGV2H2BGMXW1RZN33YVTYNHKPY2S27&mode=new	Get hash	malicious	Unknown	Browse	20.109.210.53 172.202.163.200
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	20.109.210.53 172.202.163.200
	https://account-service.fr/PSTPNL/postal1	Get hash	malicious	Unknown	Browse	20.109.210.53 172.202.163.200
	https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	20.109.210.53 172.202.163.200
	https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	20.109.210.53 172.202.163.200
	E7X-XIZ5.eml	Get hash	malicious	Unknown	Browse	20.109.210.53 172.202.163.200

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8168146122341279
Encrypted:	false
SSDEEP:	3072:yJjAgNE4Pj5vHcjTcyBP9UjaaQ/ka4qWK3LpbL:QAgN8nj/ka4YLpbL
MD5:	F741707EA55D5E66EB519AF076EE06E0
SHA1:	F72B09D5247530E41DFC4889274A6A2146764CF8
SHA-256:	C83A5EF5C5AC0941048D5FD7893F7CC81A42C267DD31DA5D58EDB97C5757C675
SHA-512:	4945E893811EB90FAFDAD4C342A35347CC10CDE7ED25860B1A4FF42BB599F9073B97FD4975A16BD2310EF53735B9196D4133777B4549648B830020002D58737F
Malicious:	false
Preview:	..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.17977888357478
Encrypted:	false
SSDEEP:	6:HUJyi+q2PRN2nKuAl9OmbnIFUt8YUqZmw+YUGVkwORN2nKuAl9OmbjLJ:++vaHAahFUt8k/+EV5JHAaSJ
MD5:	B9D846E6668E6160CD9A33937F86B431
SHA1:	28A808BDAC4F5CFB9AA5899F8D35CA55B534597A
SHA-256:	88D3B13D7B7CD154FD5445698F1A06470E161E11B99C2EA7085EFE007F0C93EB
SHA-512:	63A5F5026ACFDEB17EE8CC516E9CDCEF076028AD39E68EC5D645921B24148B24DC35496BCBB0AF1A98B5B0957C5ADF867E883CB0083D59240581A967911ECFFF
Malicious:	false
Preview:	2024/11/12-10:49:25.148 1b7c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/11/12-10:49:25.150 1b7c Recovering log #3.2024/11/12-10:49:25.150 1b7c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Nov 12 14:49:35 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.976408270707615
Encrypted:	false
SSDEEP:	48:83yd4T8XwMHtidAKZdA1FehwiZUklqehKlxy+3:83hOw2rxy
MD5:	404E26AEC27ED7239443193F4DF6301C
SHA1:	F4E876EABD00281F5DAC22DD1C39CC67E6D1EBF7
SHA-256:	673215C416A965C60C636DC62491E9CE9A16FEB9BF43C06A77F28CA1CCF3290A
SHA-512:	25C97A95343D4E2A52F5175D8D5533114B4C0D6961EB7932CB0C3495F7B82958E7FFB18CE5CB13D76C7371C5855D4CF12F15A691ACAE1A2D781BCC1A1B020774
Malicious:	false
Preview:	L..................F.@.. ...$+.,....u..x.5..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IlY"~....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VlY0~....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VlY0~....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VlY0~..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VlY2~...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........dP.\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.246736027046273
Encrypted:	false
SSDEEP:	48:FaqdF78F7B+AAHdKoqKFxcxkFiF7KaqdF7e+AAHdKoqKFxcxkFO:cEOB+AAsoJjykePEe+AAsoJjykY
MD5:	3C376554038586224D09956B07A61C38
SHA1:	C6CF5A0E849E2A69F9B934F9E59B98BECFF472DE
SHA-256:	000D1BCCC4BA6D96ECD483B15CE22B756C7B491F478384143E5FC25889CBDA48
SHA-512:	51DF99CEAEAFB19AFB9F3F6FCAC4056CD374A019EE353C298513A3A1941217922AFEA70A9CC66400310E480D64C74FBD073CF2151AF1B2207AB049C25C49F988
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	20980
Entropy (8bit):	5.618747941892891
Encrypted:	false
SSDEEP:	384:O5WdBrkaeN+JApvqXhr7Fve+RnR5Qw0YjJZr5m3xWYs4SHGPq9TE:O2rfJAYXhrNe+RRqjwJWB3/8Y
MD5:	1F6A7B76CF1FF6CC3582ECDD49D31C8E
SHA1:	3FD83285EDAA970BA2DB8FADBF78DAF4F0BD98F7
SHA-256:	7B7307C2E3E0BAE365CF959DF467A74D015DB71C71359E805B444A895E519D58
SHA-512:	5581631F8D2814CA863A4AD2CC563A1FBFA5137801045123C9E3859F99A4744201D337955665E7C338AB595F7E51A058FAFE9EBC5F2F1BB9DADCCFC905C29423
Malicious:	false
Preview:	@...e...........#.......\.............y...>..........@..........H...............o..b~.D.poM...J..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....~.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................gQ?O.....x5.d.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

Process:	C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe
File Type:	ASCII text, with very long lines (498)
Category:	dropped
Size (bytes):	1171
Entropy (8bit):	5.085254733142551
Encrypted:	false
SSDEEP:	24:hWjnX6YXF+lMpwih1lSInLfDJ68A+OGFdWoiKXF+libpwT:OXbwlqwih1lSwrI+OFoiKwli1wT
MD5:	CFC4F57D525EB408CE60B43CC183892E
SHA1:	E9B6A8D36EFD5877ADFE8BACD0F33797BBFE251E
SHA-256:	A2F568B2BC12ABAFA637464C833FD0C12D4A62B3972103B5DE9E6D2333D5F7DA
SHA-512:	B8448CAC5F6E24D7866AD8FA462066CBC30E7EC5BD0CE0835746002269834E565A7FD6FDEB838077C19B02921DA43D48560C69FDC04AD5089447783E142B5381
Malicious:	false
Preview:	2024/11/12 15:50:27 Starting FleetDeck Agent Service built using version "718da8a1b87729f24d9e6cab0e29a26d3d9795d7"....2024/11/12 15:50:27 IPC server starting....2024/11/12 15:50:27 Performing update....2024/11/12 15:50:27 Polling for latest version from: https://agentupdate.fleetdeck.io/latest.json.2024/11/12 15:50:27 Could not dial agentupdate.fleetdeck.io:443 using built-in dns resolvers, retrying using DoT....2024/11/12 15:50:40 Error when updating: Failed to get latest version: Failed to connect to url: Get "https://agentupdate.fleetdeck.io/latest.json": Unable to resolve agentupdate.fleetdeck.io using the following DoT configurations: [{[1.1.1.1]:853 cloudflare-dns.com} {[8.8.8.8]:853 dns.google} {[9.9.9.9]:853 dns.quad9.net} {[2606:4700:4700::1111]:853 cloudflare-dns.com} {[2001:4860:4860::8888]:853 dns.google} {[2620:fe::fe]:853 dns.quad9.net}], waiting for 2s before retrying with attempt: 1....2024/11/12 15:50:42 Performing update....2024/11/12 15:50:42 Polling for latest vers

File type:	PDF document, version 1.4, 11 pages
Entropy (8bit):	7.7594720894126405
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	ACHAT DE 2 IMMEUBLES.pdf
File size:	1'582'655 bytes
MD5:	208e977d2a735133acb0bd4e347deea5
SHA1:	997034e9e36d11984cdf4b5b0dfcd8dc50c61a23
SHA256:	890bbf43f2c9244ffdb71a12beab0a7db68be4d8e897a0197a32dc8d1172dd41
SHA512:	79e8fcf38f88cc3474126d346ce612cdd489840fb34e96fc1bf2dd9acbfd0fa8e2a087a2fcf37257181cd0291993141725e317909849e41f5f804eedec80c3e3
SSDEEP:	49152:mMuYnZW1T1aB7pVAUWUraUsjGWYZf9cKt6:mMuCW1T1aVHWUraURWYu
TLSH:	D9750132FBC3E799578746ADA53D3E3307A9A5E9DAC0246B102F4C193084F369A5367C
File Content Preview:	%PDF-1.4.%.....1 0 obj.<<./Type /Catalog./Version /1.4./Pages 2 0 R./StructTreeRoot 3 0 R./MarkInfo 4 0 R./Lang (en)./ViewerPreferences 5 0 R.>>.endobj.6 0 obj.<<./Title (ACHAT DE 2 IMMEUBLES FR.pdf)./Creator (Canva)./Producer (Canva)./CreationDate (D:202

General
Header:	%PDF-1.4
Total Entropy:	7.759472
Total Bytes:	1582655
Stream Entropy:	7.753502
Stream Bytes:	1562625
Entropy outside Streams:	5.222125
Bytes outside Streams:	20030
Number of EOF found:	1
Bytes after EOF:

Name	Count
obj	132
endobj	132
stream	42
endstream	42
xref	1
trailer	1
startxref	1
/Page	11
/Encrypt	0
/ObjStm	0
/URI	10
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

ID	DHASH	MD5
21	0000000000000000	342360ac75e62d1ff1e3437a0b9e2231
22	70494d7139230313	0937ec0469de5811a78ff6b71125f828
23	0812b2b271716906	38f7b21475db7ce3c733747145eaef8f
24	a8a5ada1e84d6660	2c2c39e105cd59e7cabb19a48b001e1f
25	203b5755d5532b80	f4af29e577c6250b1fbcfee0a8d4a28e

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 16:49:33.395092964 CET	53	61044	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:33.626003027 CET	53	51831	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:33.637200117 CET	53	54493	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:34.891644001 CET	53	62761	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:37.920691013 CET	53903	53	192.168.2.16	1.1.1.1
Nov 12, 2024 16:49:38.117069006 CET	55494	53	192.168.2.16	1.1.1.1
Nov 12, 2024 16:49:38.117204905 CET	51189	53	192.168.2.16	1.1.1.1
Nov 12, 2024 16:49:38.137974977 CET	53	55494	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:38.141597033 CET	53	51189	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:38.156147003 CET	49756	53	192.168.2.16	1.1.1.1
Nov 12, 2024 16:49:38.156147003 CET	63251	53	192.168.2.16	1.1.1.1
Nov 12, 2024 16:49:38.163186073 CET	53	49756	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:38.163273096 CET	53	63251	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:39.319768906 CET	53	63224	1.1.1.1	192.168.2.16
Nov 12, 2024 16:49:51.993637085 CET	53	65492	1.1.1.1	192.168.2.16
Nov 12, 2024 16:50:10.983829975 CET	53	49613	1.1.1.1	192.168.2.16
Nov 12, 2024 16:50:27.261476994 CET	138	138	192.168.2.16	192.168.2.255
Nov 12, 2024 16:50:28.266333103 CET	53021	53	192.168.2.16	1.1.1.1
Nov 12, 2024 16:50:28.300869942 CET	53	53021	1.1.1.1	192.168.2.16
Nov 12, 2024 16:50:33.345410109 CET	53	55207	1.1.1.1	192.168.2.16
Nov 12, 2024 16:50:33.506172895 CET	53	55165	1.1.1.1	192.168.2.16
Nov 12, 2024 16:50:46.657685995 CET	57081	53	192.168.2.16	1.1.1.1
Nov 12, 2024 16:50:46.680166006 CET	53	57081	1.1.1.1	192.168.2.16

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 16:49:26.176772118 CET	1.1.1.1	192.168.2.16	0x74eb	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:49:26.176772118 CET	1.1.1.1	192.168.2.16	0x74eb	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:49:37.934190035 CET	1.1.1.1	192.168.2.16	0x5a4d	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 16:49:38.137974977 CET	1.1.1.1	192.168.2.16	0x58d5	No error (0)	agentinstall.fleetdeck.io		18.66.112.116	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:49:38.137974977 CET	1.1.1.1	192.168.2.16	0x58d5	No error (0)	agentinstall.fleetdeck.io		18.66.112.64	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:49:38.137974977 CET	1.1.1.1	192.168.2.16	0x58d5	No error (0)	agentinstall.fleetdeck.io		18.66.112.2	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:49:38.137974977 CET	1.1.1.1	192.168.2.16	0x58d5	No error (0)	agentinstall.fleetdeck.io		18.66.112.98	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:49:38.163186073 CET	1.1.1.1	192.168.2.16	0x11bb	No error (0)	www.google.com		142.250.186.164	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:49:38.163273096 CET	1.1.1.1	192.168.2.16	0x8375	No error (0)	www.google.com			65	IN (0x0001)	false
Nov 12, 2024 16:50:28.300869942 CET	1.1.1.1	192.168.2.16	0xb570	No error (0)	agentupdate.fleetdeck.io		18.239.18.47	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:50:28.300869942 CET	1.1.1.1	192.168.2.16	0xb570	No error (0)	agentupdate.fleetdeck.io		18.239.18.124	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:50:28.300869942 CET	1.1.1.1	192.168.2.16	0xb570	No error (0)	agentupdate.fleetdeck.io		18.239.18.129	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:50:28.300869942 CET	1.1.1.1	192.168.2.16	0xb570	No error (0)	agentupdate.fleetdeck.io		18.239.18.46	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:50:46.680166006 CET	1.1.1.1	192.168.2.16	0xf991	No error (0)	agentupdate.fleetdeck.io		18.172.112.118	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:50:46.680166006 CET	1.1.1.1	192.168.2.16	0xf991	No error (0)	agentupdate.fleetdeck.io		18.172.112.93	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:50:46.680166006 CET	1.1.1.1	192.168.2.16	0xf991	No error (0)	agentupdate.fleetdeck.io		18.172.112.126	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:50:46.680166006 CET	1.1.1.1	192.168.2.16	0xf991	No error (0)	agentupdate.fleetdeck.io		18.172.112.129	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-11-12 15:49:33 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FWbpFe63sLSlRyu&MD=XACCHnmc HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-11-12 15:49:34 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: f5bc500f-2cae-447f-b273-8a7f28da87cd MS-RequestId: 5d5c7167-fc23-4467-9024-df05aafe0ef0 MS-CV: GLpxtcZ8yUO7adiZ.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 12 Nov 2024 15:49:33 GMT Connection: close Content-Length: 24490
2024-11-12 15:49:34 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-11-12 15:49:34 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-11-12 15:49:34 UTC	687	OUT	GET /AkKkGEnzwtzPvTHp9XURrp?win HTTP/1.1 Host: agent.fleetdeck.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-11-12 15:49:38 UTC	619	IN	HTTP/1.1 302 Found Content-Type: application/json Content-Length: 0 Connection: close Date: Tue, 12 Nov 2024 15:49:37 GMT X-Amzn-Trace-Id: Root=1-6733790e-4177a240310c589d5458a228;Parent=6e5e4dba57407f23;Sampled=0;Lineage=1:cfe0e7e4:0 x-amzn-RequestId: c6fe3129-dc71-4915-9a69-2d0cb5c62b5e x-amz-apigw-id: BI_aZGo9PHcERbQ= Location: https://agentinstall.fleetdeck.io/fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe X-Cache: Miss from cloudfront Via: 1.1 f0b5999c895f4b29c49c485a0a825d0c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: 634OE4-G0ZDRDdseQPn_3lcEoZJ4DN9vsuwJgOnJOdAzcNbDm0qm8w==

Timestamp	Bytes transferred	Direction	Data
2024-11-12 15:49:38 UTC	710	OUT	GET /fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe HTTP/1.1 Host: agentinstall.fleetdeck.io Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-11-12 15:49:39 UTC	626	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 4081208 Connection: close Date: Tue, 12 Nov 2024 15:49:40 GMT Last-Modified: Tue, 12 Nov 2024 15:49:38 GMT x-amz-expiration: expiry-date="Thu, 14 Nov 2024 00:00:00 GMT", rule-id="Yjg0OWZjMTUtNzUxNS00MDI2LWIyNWUtODcwOWQ5NDM4MWM5" ETag: "043abb0f947e2219446a8fbc8e37049b" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Server: AmazonS3 X-Cache: Miss from cloudfront Via: 1.1 edffe6978db53d114a80cda421e0b6b8.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P5 X-Amz-Cf-Id: mABAQ7AmxYb-RTpmQcAivCKGwnPVwTnKo2yED648QHrdHX3i_zcpCA==
2024-11-12 15:49:39 UTC	14588	IN	Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 04 3d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 ac 0c 00 00 80 23 00 00 00 00 00 e0 aa 05 00 00 10 00 00 00 a0 18 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 20 41 00 00 04 00 00 a7 7d 3e 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL=#@ A}>@
2024-11-12 15:49:39 UTC	2272	IN	Data Raw: 20 11 00 00 8b 44 24 04 85 c0 0f 85 68 03 00 00 8b 44 24 44 8b 08 39 48 04 0f 87 06 03 00 00 0f b6 4c 24 4c 84 c9 75 17 90 90 8b 44 24 24 89 04 24 e8 be 4b 00 00 c6 44 24 54 00 83 c4 40 c3 64 8b 05 14 00 00 00 8b 80 00 00 00 00 89 44 24 28 e8 4f 04 03 00 8b 04 24 c7 40 18 00 00 00 00 c7 40 1c 00 00 00 00 8b 4c 24 18 85 c9 0f 95 c2 8b 5c 24 1c 85 db 87 dd 0f 95 c3 87 dd 09 d5 95 84 c0 95 74 0e c7 40 18 ff ff ff ff c7 40 1c ff ff ff ff 8b 15 b0 83 7e 00 85 d2 75 16 8b 54 24 48 89 50 0c c7 40 2c 00 00 00 00 8b 6c 24 28 89 28 eb 2d 8d 78 0c 89 c2 8b 44 24 48 e8 f4 59 05 00 8d 7a 2c 89 c5 31 c0 e8 e8 59 05 00 89 d7 8b 44 24 28 e8 dd 59 05 00 89 f8 89 ea 8b 6c 24 28 c6 40 24 00 8d 78 34 8b 35 b0 83 7e 00 85 f6 75 09 8b 74 24 44 89 70 34 eb 11 89 c6 8b 44 24 44 Data Ascii: D$hD$D9HL$LuD$$$KD$T@dD$(O$@@L$\$t@@~uT$HP@,l$((-xD$HYz,1YD$(Yl$(@$x45~ut$Dp4D$D
2024-11-12 15:49:40 UTC	16384	IN	Data Raw: 89 44 24 04 e8 0b cc 02 00 90 e8 85 3d 05 00 e9 c0 fd ff ff 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 76 46 83 ec 08 8b 44 24 0c 8b 48 04 85 c9 75 1f 83 c0 28 89 04 24 e8 35 d0 ff ff 8b 44 24 04 85 c0 0f 95 c0 83 f0 01 88 44 24 10 83 c4 08 c3 89 04 24 e8 89 d0 ff ff 8b 44 24 04 85 c0 0f 94 c0 88 44 24 10 83 c4 08 c3 e8 23 3d 05 00 eb a1 cc 83 ec 10 8b 44 24 14 89 04 24 8b 44 24 18 89 44 24 04 c6 44 24 08 01 e8 04 00 00 00 83 c4 10 c3 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 0f 86 89 05 00 00 83 ec 44 8b 44 24 48 85 c0 0f 84 13 05 00 00 0f b6 4c 24 50 84 c9 74 04 31 d2 eb 18 89 04 24 e8 46 ff ff ff 0f b6 44 24 04 0f b6 4c 24 50 89 c2 8b 44 24 48 84 d2 74 5e 8d 48 10 89 0c 24 e8 77 cf ff ff 8b 44 24 04 85 c0 0f 84 c5 04 00 00 8b 44 24 48 89 04 Data Ascii: D$=d;avFD$Hu($5D$D$$D$D$#=D$$D$D$D$d;aDD$HL$Pt1$FD$L$PD$Ht^H$wD$D$H
2024-11-12 15:49:40 UTC	16384	IN	Data Raw: cc cc cc cc 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 0f 86 8b 00 00 00 83 ec 24 8b 44 24 28 89 04 24 e8 4b 92 ff ff 8b 44 24 04 85 c0 0f 94 c1 8b 54 24 08 85 d2 0f 94 c3 21 cb 84 db 75 58 89 54 24 1c 89 44 24 18 89 54 24 20 84 02 90 89 14 24 e8 1c 92 ff ff 8b 44 24 04 8b 4c 24 08 8b 54 24 28 89 14 24 8b 5c 24 1c 89 5c 24 08 8b 5c 24 18 89 5c 24 04 89 4c 24 10 89 44 24 0c e8 b0 90 ff ff 0f b6 44 24 14 84 c0 74 90 8b 44 24 20 89 44 24 2c 83 c4 24 c3 c7 44 24 2c 00 00 00 00 83 c4 24 c3 e8 ea fc 04 00 e9 55 ff ff ff cc cc cc cc cc 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 76 01 c3 e8 c8 fc 04 00 eb e6 cc cc cc cc cc cc 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 76 1b 83 ec 08 8b 44 24 0c 89 04 24 c7 44 24 04 00 00 00 00 e8 57 09 00 00 83 c4 Data Ascii: d;a$D$($KD$T$!uXT$D$T$ $D$L$T$($\$\$\$\$L$D$D$tD$ D$,$D$,$Ud;avd;avD$$D$W
2024-11-12 15:49:40 UTC	3778	IN	Data Raw: 20 89 43 28 0f b6 42 04 83 e0 03 80 f8 03 74 14 8d 42 04 89 04 24 c6 44 24 04 03 e8 a4 52 ff ff 8b 5c 24 14 89 1c 24 e8 18 00 00 00 83 c4 08 c3 83 c4 08 c3 e8 5b bd 04 00 e9 b6 fd ff ff cc cc cc cc cc cc 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 0f 86 45 04 00 00 83 ec 40 8b 7c 24 44 8b 5f 0c 0f b6 6b 04 95 f6 c0 04 95 0f 85 15 04 00 00 89 5c 24 38 8b 6f 08 89 6c 24 30 8b 77 28 89 e8 8b 6f 14 89 d9 0f b6 5f 27 89 da 8b 5f 2c eb 0e 0f b7 50 32 8d 54 15 fc 84 00 8b 2a 31 d2 85 ed 0f 85 b3 00 00 00 39 77 20 75 0c 0f b6 5f 25 84 db 0f 85 b0 00 00 00 8b 59 10 85 db 74 60 0f b6 6f 26 95 38 41 05 95 75 55 8b 6f 0c 89 da 0f b6 5d 05 0f b6 6d 04 95 f6 c0 08 95 75 01 4b 89 d9 bd 01 00 00 00 d3 e5 8d 5d ff 21 f3 0f b7 68 32 0f af dd 90 89 e9 8d 2c 1a 0f b6 1c Data Ascii: C(BtB$D$R\$$[d;aE@\|$D_k\$8ol$0w(o_'_,P2T*19w u_%Yt`o&8AuUo]muK]!h2,
2024-11-12 15:49:40 UTC	16384	IN	Data Raw: 21 00 00 00 e8 a9 44 02 00 90 e8 c3 ae 04 00 e9 ae fe ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 0f 86 b1 02 00 00 83 ec 34 8b 44 24 3c 85 c0 0f 84 89 02 00 00 0f b6 48 04 f6 c1 04 0f 85 66 02 00 00 8b 4c 24 38 8b 51 2c 8b 1a 8b 68 08 8d 74 24 40 89 34 24 89 6c 24 04 ff d3 8b 44 24 08 89 44 24 14 8b 4c 24 3c 0f b6 59 04 83 f3 04 88 59 04 8b 59 0c 85 db 75 49 8b 44 24 38 8b 48 28 8b 11 89 14 24 89 4c 24 04 c6 44 24 08 01 e8 9e c9 ff ff 8b 05 b0 83 7e 00 8b 4c 24 0c 85 c0 75 09 8b 44 24 3c 89 48 0c eb 10 8b 54 24 3c 8d 7a 0c 89 c8 e8 49 c2 04 00 89 d0 8b 44 24 14 8b 4c 24 3c 8b 54 24 38 eb 1e 89 14 24 89 6c 24 04 e8 0d f5 ff ff 8b 44 24 38 8b 4c 24 3c 8b 54 24 14 89 d0 8b 54 24 38 0f b6 59 05 89 cd 89 d9 Data Ascii: !Dd;a4D$<HfL$8Q,ht$@4$l$D$D$L$<YYYuID$8H($L$D$~L$uD$<HT$<zID$L$<T$8$l$D$8L$<T$T$8Y
2024-11-12 15:49:40 UTC	16384	IN	Data Raw: 2c 24 8b 6c 24 78 39 d0 72 db 8b 34 24 39 d0 76 1a 29 d0 83 f8 20 19 ed 89 c1 d3 ee 21 ee 8b 8c 24 90 00 00 00 8b 6c 24 78 89 d0 83 f8 01 75 15 83 fe 01 75 0c b8 19 00 00 00 be ff ff ff 01 eb 13 89 d8 eb 0f 8d 14 00 83 fa 19 77 07 89 c2 e9 17 01 00 00 89 34 24 8b 54 24 24 89 44 24 44 8b 44 24 0c 89 44 24 30 8b 44 24 44 eb 1a 8b 4c 24 20 29 c1 8b 34 24 8b 6c 24 78 89 5c 24 30 89 cb 8b 8c 24 90 00 00 00 39 d8 77 2a 89 5c 24 20 8b 6c 24 30 83 fd 20 19 db 89 e9 d3 e6 21 de 09 f2 8d 1c 08 8b ac 24 90 00 00 00 83 fd 01 0f 84 8f 00 00 00 eb 79 85 db 76 47 89 7c 24 74 83 fb 20 89 e8 19 ed 8b 7c 24 30 83 ff 20 19 ff 89 7c 24 2c 89 d9 bf 01 00 00 00 d3 e7 21 ef 8d 6f ff 21 ee 8b 4c 24 30 d3 e6 8b 6c 24 2c 21 ee 09 f2 01 cb 8b 8c 24 90 00 00 00 89 c5 8b 7c 24 74 eb Data Ascii: ,$l$x9r4$9v) !$l$xuuw4$T$$D$DD$D$0D$DL$ )4$l$x\$0$9w*\$ l$0 !$yvG\|$t \|$0 \|$,!o!L$0l$,!$\|$t
2024-11-12 15:49:40 UTC	16384	IN	Data Raw: 8b 44 24 5c 8b 8c 24 88 00 00 00 19 c8 8b 8c 24 b8 00 00 00 89 ca c1 f9 1f 8b 9c 24 b4 00 00 00 0f af d9 8b 8c 24 b0 00 00 00 01 d9 0f af c2 01 c8 8b 8c 24 a8 00 00 00 8b 94 24 ac 00 00 00 01 d1 8b 8c 24 8c 00 00 00 11 c1 f2 0f 10 44 24 08 f2 0f 11 84 24 d0 00 00 00 89 4c 24 04 8b 44 24 3c 89 04 24 e8 59 e7 03 00 f2 0f 10 84 24 d0 00 00 00 f2 0f 5e 44 24 08 f2 0f 11 05 e0 ad 7e 00 c7 05 6c 28 7c 00 00 00 00 00 c7 05 70 28 7c 00 00 00 00 00 0f b6 05 80 8c 7e 00 84 c0 74 06 ff 05 dc ad 7e 00 90 90 8d 05 a0 8c 7e 00 89 04 24 e8 9d 31 ff ff ff 05 d8 ad 7e 00 8d 05 a4 8c 7e 00 89 04 24 e8 c9 44 02 00 90 90 8d 05 a0 8c 7e 00 89 04 24 e8 79 33 ff ff e8 44 35 01 00 8b 05 cc 82 7c 00 89 84 24 c8 00 00 00 c6 84 24 cc 00 00 00 00 90 8d 05 d4 82 7c 00 89 04 24 c7 44 Data Ascii: D$\$$$$$$$D$$L$D$<$Y$^D$~l(\|p(\|~t~~$1~~$D~$y3D5\|$$\|$D
2024-11-12 15:49:40 UTC	16384	IN	Data Raw: 01 00 8d 05 00 96 4e 00 89 04 24 c7 44 24 04 13 00 00 00 e8 9a a2 01 00 c7 44 24 04 00 00 00 00 8b 44 24 38 89 04 24 e8 26 9f 01 00 e8 c1 9b 01 00 e8 0c 9a 01 00 8d 05 30 da 4e 00 89 04 24 c7 44 24 04 20 00 00 00 e8 66 84 01 00 8b 84 24 3c 01 00 00 89 04 24 e8 47 81 fe ff 8b 84 24 50 01 00 00 8b 48 50 89 4c 24 48 8b 50 54 89 54 24 44 8b 5c 24 04 89 5c 24 34 e8 55 99 01 00 8d 05 e7 aa 4e 00 89 04 24 c7 44 24 04 16 00 00 00 e8 1f a2 01 00 8b 84 24 50 01 00 00 89 04 24 e8 90 a1 01 00 8d 05 7d 6c 4e 00 89 04 24 c7 44 24 04 07 00 00 00 e8 fa a1 01 00 8b 44 24 44 89 44 24 04 8b 44 24 48 89 04 24 e8 e6 9f 01 00 8d 05 00 96 4e 00 89 04 24 c7 44 24 04 13 00 00 00 e8 d0 a1 01 00 c7 44 24 04 00 00 00 00 8b 44 24 34 89 04 24 e8 3c a0 01 00 e8 f7 9a 01 00 e8 42 99 01 Data Ascii: N$D$D$D$8$&0N$D$ f$<$G$PHPL$HPTT$D\$\$4UN$D$$P$}lN$D$D$DD$D$H$N$D$D$D$4$<B
2024-11-12 15:49:40 UTC	16384	IN	Data Raw: 18 8b 54 24 14 39 d1 76 07 90 89 cb 29 d1 eb 04 89 cb 31 c9 85 c9 74 09 8b 4c 24 1c 39 48 68 74 04 83 c4 0c c3 f7 c2 ff ff 3f 00 75 17 83 c0 54 89 04 24 89 54 24 04 89 5c 24 08 e8 22 c8 00 00 83 c4 0c c3 8d 05 c2 c8 4e 00 89 04 24 c7 44 24 04 1c 00 00 00 e8 58 44 01 00 90 e8 d2 99 03 00 eb 80 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 0c 0f 86 f1 02 00 00 83 ec 44 8b 5c 24 48 84 03 8b 6c 24 50 8b 74 24 4c 39 f5 76 07 90 89 ef 29 f5 eb 04 89 ef 31 ed 85 ed 0f 84 46 01 00 00 f7 c6 ff ff 3f 00 0f 85 a6 02 00 00 8b 6c 24 54 89 e8 c1 ed 0d a9 ff 1f 00 00 74 01 45 89 f0 8b 35 8c 82 7e 00 c1 ee 0d 83 fe 01 73 05 be 01 00 00 00 4f 89 7c 24 28 90 8b 4b 28 89 ea 8b 6b 24 c1 ef 16 39 f9 0f 86 60 02 00 00 8d 4c fd 00 8b 69 04 8b 09 f7 c5 00 00 00 80 74 07 b9 00 00 Data Ascii: T$9v)1tL$9Hht?uT$T$\$"N$D$XDd;aD\$Hl$Pt$L9v)1F?l$TtE5~sO\|$(K(k$9`Lit

Timestamp	Bytes transferred	Direction	Data
2024-11-12 15:50:11 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FWbpFe63sLSlRyu&MD=XACCHnmc HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-11-12 15:50:11 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: c41bbb9a-2f18-41d4-a6e8-c67a1d20c54c MS-RequestId: 8f6b6393-c9ab-4abf-9923-1ad095c10a19 MS-CV: APbxHuMkPU21OTJa.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 12 Nov 2024 15:50:10 GMT Connection: close Content-Length: 30005
2024-11-12 15:50:11 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-11-12 15:50:11 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	10:49:22
Start date:	12/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\ACHAT DE 2 IMMEUBLES.pdf"
Imagebase:	0x7ff6ebcb0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	10:49:24
Start date:	12/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff7e67a0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	10:49:25
Start date:	12/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1728 --field-trial-handle=1572,i,16750144883042128142,8722937577736343165,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff7e67a0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	10:49:29
Start date:	12/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff62c440000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	10:49:30
Start date:	12/11/2024
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7648e0000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ACHAT DE 2 IMMEUBLES.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\3fcfad2f-1955-4c6e-9738-9bd72cdb9587.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\64cfd53e-e575-463b-84c2-00137460116d.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF42f933.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241112154928Z-171.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
ACHAT DE 2 IMMEUBLES.pdf

Target ID:	13
Start time:	10:49:31
Start date:	12/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://agent.fleetdeck.io/AkKkGEnzwtzPvTHp9XURrp?win
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	16
Start time:	10:49:38
Start date:	12/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 --field-trial-handle=1980,i,11466266959600269699,13698241653752948834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	17
Start time:	10:49:48
Start date:	12/11/2024
Path:	C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Downloads\fleetdeck-agent-AkKkGEnzwtzPvTHp9XURrp.exe"
Imagebase:	0x710000
File size:	4'081'208 bytes
MD5 hash:	043ABB0F947E2219446A8FBC8E37049B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	10:49:50
Start date:	12/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow"
Imagebase:	0x7ff7582a0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	10:50:03
Start date:	12/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service Command' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' -Action Allow"
Imagebase:	0x7ff7582a0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	10:50:27
Start date:	12/11/2024
Path:	C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe"
Imagebase:	0x560000
File size:	5'504'560 bytes
MD5 hash:	0915F113042460AD625950FF06CAB044
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	35.7%
Total number of Nodes:	14
Total number of Limit Nodes:	1

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre