Edit tour

Windows Analysis Report
https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I

Overview

General Information

Sample URL:	https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I
Analysis ID:	1569528

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

Phishing site or detected (based on various text indicators)

HTML page contains hidden javascript code

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 2844 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6912 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,3940894086779925446,8648217627585648565,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6216 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

rundll32.exe (PID: 1436 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Acrobat.exe (PID: 3920 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Care Systems Services LTD.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 5136 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7264 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2280 --field-trial-handle=1360,i,15807164517327134399,1986630103556935659,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 6192 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://whitespotfitness.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVkwRlphVmc9JnVpZD1VU0VSMDQxMjIwMjRVMTQxMjA0MTM=N0123N%5bEMAIL%5d MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4464 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,583728863588497507,9785935761716199252,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: file:///C:/Users/user/Downloads/Care%20Systems%20Services%20LTD.pdf

Joe Sandbox AI: Page contains button: 'VIEW DOCUMENT HERE' Source: '3.2.pages.csv'

Phishing site or detected (based on various text indicators)

Source: Chrome DOM: 3.2	OCR Text: 90B Care Systems Services LTD.pdf New Document Received PDF You've received (2) new PDF documents for your review Please sign & return: VIEW DOCUMENT HERE Best Regards, Murray Short Business Development Manager Care Systems Services LTD p: 250-558-5509 m: 250-540-559 www.caresvstems.ca w: Deale o Lcic
Source: Chrome DOM: 3.4	OCR Text: e 6) Care Systems Services LTD.pdf 100% Find your downloads here Manage files as they download and open them when they're done New Document Received PDF You've received (2) new PDF documents for your review Please sign & return: VIEW DOCUMENT HERE Best Regards, Murray Short Business Development Manager Care Systems Services LTD p: 250-558-5509 m: 250-540-559 www.caresvstems.ca w: * uttui2ee Deair c'

Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?download_all=True&email_type=SEND_BY_EMAIL_RECIPIENT&ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e

HTTP Parser: Base64 decoded: admin_console_search

Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/Care%20Systems%20Services%20LTD.pdf	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/Care%20Systems%20Services%20LTD.pdf	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon
Source: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	HTTP Parser: No favicon

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 28MB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: cfl.dropboxstatic.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: d.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: marketing.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: uc2a9fbe405c8322974dfe328ccc.previews.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: uc25a1334a1f7999e01d72462606.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: c.contentsquare.net
Source: global traffic	DNS traffic detected: DNS query: assets.adobedtm.com
Source: global traffic	DNS traffic detected: DNS query: www.dropboxstatic.com
Source: global traffic	DNS traffic detected: DNS query: static.ads-twitter.com
Source: global traffic	DNS traffic detected: DNS query: dpm.demdex.net
Source: global traffic	DNS traffic detected: DNS query: whitespotfitness.com
Source: global traffic	DNS traffic detected: DNS query: dropbox.demdex.net
Source: global traffic	DNS traffic detected: DNS query: cm.everesttech.net
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: px.ads.linkedin.com
Source: global traffic	DNS traffic detected: DNS query: t.co
Source: global traffic	DNS traffic detected: DNS query: analytics.twitter.com
Source: global traffic	DNS traffic detected: DNS query: www.linkedin.com
Source: global traffic	DNS traffic detected: DNS query: static.xingcdn.com
Source: global traffic	DNS traffic detected: DNS query: munchkin.marketo.net
Source: global traffic	DNS traffic detected: DNS query: www.xing.com
Source: global traffic	DNS traffic detected: DNS query: td.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: www.knotch-cdn.com
Source: global traffic	DNS traffic detected: DNS query: googleads.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: bttrack.com
Source: global traffic	DNS traffic detected: DNS query: frontdoor.knotch.it
Source: global traffic	DNS traffic detected: DNS query: configs.knotch.com
Source: global traffic	DNS traffic detected: DNS query: 077-zjt-858.mktoresp.com
Source: global traffic	DNS traffic detected: DNS query: connect.facebook.net
Source: global traffic	DNS traffic detected: DNS query: 10906599.fls.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: ad.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: snap.licdn.com
Source: global traffic	DNS traffic detected: DNS query: adservice.google.com
Source: global traffic	DNS traffic detected: DNS query: s.yimg.jp
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: static.cloud.coveo.com
Source: global traffic	DNS traffic detected: DNS query: www.emjcd.com
Source: global traffic	DNS traffic detected: DNS query: cdn.bttrack.com
Source: global traffic	DNS traffic detected: DNS query: cj.dotomi.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: tags.srv.stackadapt.com
Source: global traffic	DNS traffic detected: DNS query: js.zi-scripts.com
Source: global traffic	DNS traffic detected: DNS query: hubfront.hushly.com
Source: global traffic	DNS traffic detected: DNS query: ws.zoominfo.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 50209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50212
Source: unknown	Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50213
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50240
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50247
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50204
Source: unknown	Network traffic detected: HTTP traffic on port 50196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50208
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50185
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown	Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50194
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50196
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50198
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 50226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50159
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 50242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50171
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 50229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 50169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900

Source: classification engine

Classification label: mal48.phis.win@61/253@181/481

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-05 14-15-24-636.log

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,3940894086779925446,8648217627585648565,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,3940894086779925446,8648217627585648565,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Care Systems Services LTD.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2280 --field-trial-handle=1360,i,15807164517327134399,1986630103556935659,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2280 --field-trial-handle=1360,i,15807164517327134399,1986630103556935659,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 5B7364CD55014DC54FC8F0EC34E1011C
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://whitespotfitness.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVkwRlphVmc9JnVpZD1VU0VSMDQxMjIwMjRVMTQxMjA0MTM=N0123N%5bEMAIL%5d
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,583728863588497507,9785935761716199252,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://whitespotfitness.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVkwRlphVmc9JnVpZD1VU0VSMDQxMjIwMjRVMTQxMjA0MTM=N0123N%5bEMAIL%5d
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,583728863588497507,9785935761716199252,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\crash_reporter.cfg

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Rundll32	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label	Link
file:///C:/Users/user/Downloads/Care%20Systems%20Services%20LTD.pdf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
js.zi-scripts.com	172.64.150.44	true	false	unknown
d1byadigbszfki.cloudfront.net	3.164.85.48	true	false	unknown
dart.l.doubleclick.net	172.217.17.38	true	false	unknown
chrome.cloudflare-dns.com	172.64.41.3	true	false	unknown
whitespotfitness.com	192.254.190.193	true	false	unknown
edge-block-www-env.dropbox-dns.com	162.125.69.15	true	false	unknown
marketing.dropbox.com	108.158.75.80	true	false	high
edge12.g.yimg.jp	182.22.31.252	true	false	high
adservice.google.com	216.58.208.226	true	false	high
platform.twitter.map.fastly.net	151.101.120.157	true	false	unknown
bttrack.com	192.132.33.68	true	false	unknown
d3aqntjehoyiyc.cloudfront.net	18.165.220.13	true	false	high
configs.knotch.com	3.164.85.119	true	false	high
scontent.xx.fbcdn.net	157.240.196.15	true	false	high
c.ba.contentsquare.net	46.137.111.148	true	false	high
t.co	162.159.140.229	true	false	high
static.cloud.coveo.com	13.227.8.50	true	false	high
static-pdx.v.dropbox.com	162.125.40.3	true	false	high
frontdoor.knotch.it	34.203.95.94	true	false	high
d-edge.v.dropbox.com	162.125.8.20	true	false	unknown
www.google.com	172.217.21.36	true	false	high
dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com	34.253.40.242	true	false	unknown
d2ib6ufe2caisg.cloudfront.net	18.165.220.2	true	false	unknown
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
google.com	142.250.181.142	true	false	high
s.twitter.com	104.244.42.195	true	false	unknown
ws.zoominfo.com	104.16.117.43	true	false	unknown
ad.doubleclick.net	172.217.17.70	true	false	high
077-zjt-858.mktoresp.com	192.28.147.68	true	false	high
edge-block-previews-env.dropbox-dns.com	162.125.69.16	true	false	high
googleads.g.doubleclick.net	142.250.181.130	true	false	high
www-env.dropbox-dns.com	162.125.69.18	true	false	unknown
td.doubleclick.net	142.250.181.2	true	false	high
tags.srv.stackadapt.com	3.222.162.46	true	false	high
static.ads-twitter.com	unknown	unknown	false	high
cfl.dropboxstatic.com	unknown	unknown	false	high
cm.everesttech.net	unknown	unknown	false	unknown
10906599.fls.doubleclick.net	unknown	unknown	false	unknown
www.dropboxstatic.com	unknown	unknown	false	unknown
dropbox.demdex.net	unknown	unknown	false	high
www.knotch-cdn.com	unknown	unknown	false	high
d.dropbox.com	unknown	unknown	false	unknown
uc25a1334a1f7999e01d72462606.dl.dropboxusercontent.com	unknown	unknown	false	unknown
www.dropbox.com	unknown	unknown	false	high
dpm.demdex.net	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
x1.i.lencr.org	unknown	unknown	false	high
assets.adobedtm.com	unknown	unknown	false	high
www.emjcd.com	unknown	unknown	false	high
www.linkedin.com	unknown	unknown	false	high
px.ads.linkedin.com	unknown	unknown	false	high
connect.facebook.net	unknown	unknown	false	high
munchkin.marketo.net	unknown	unknown	false	unknown
s.yimg.jp	unknown	unknown	false	high
analytics.twitter.com	unknown	unknown	false	high
www.xing.com	unknown	unknown	false	high
static.xingcdn.com	unknown	unknown	false	high
uc2a9fbe405c8322974dfe328ccc.previews.dropboxusercontent.com	unknown	unknown	false	unknown
cj.dotomi.com	unknown	unknown	false	high
snap.licdn.com	unknown	unknown	false	high
c.contentsquare.net	unknown	unknown	false	unknown
cdn.bttrack.com	unknown	unknown	false	high
hubfront.hushly.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Downloads/Care%20Systems%20Services%20LTD.pdf	true	Avira URL Cloud: safe	unknown
https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?download_all=True&email_type=SEND_BY_EMAIL_RECIPIENT&ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	false		unknown
https://www.dropbox.com/transfer/AAAAABuflK_-TTz20ZAsMpfta13uohLDt3ivZZu4BQKEI719vVARGNs?ftref=74cccfbb4459e4891420b76124b259a1c1e33bceca98b4ef034e7b4ba4bdfb62&oref=e	false		unknown
https://whitespotfitness.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVkwRlphVmc9JnVpZD1VU0VSMDQxMjIwMjRVMTQxMjA0MTM=N0123N%5bEMAIL%5d	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.17.67	unknown	United States	15169	GOOGLEUS	false
109.233.159.64	unknown	Germany	50343	NWRK-ASNewWorkSEDE	false
142.250.181.130	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
192.254.190.193	whitespotfitness.com	United States	46606	UNIFIEDLAYER-AS-1US	false
104.16.117.43	ws.zoominfo.com	United States	13335	CLOUDFLARENETUS	false
54.154.234.207	unknown	United States	16509	AMAZON-02US	false
23.218.208.236	unknown	United States	6453	AS6453US	false
142.250.181.46	unknown	United States	15169	GOOGLEUS	false
172.217.17.38	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
162.159.140.229	t.co	United States	13335	CLOUDFLARENETUS	false
54.224.241.105	unknown	United States	14618	AMAZON-AESUS	false
172.217.17.78	unknown	United States	15169	GOOGLEUS	false
3.164.85.128	unknown	United States	16509	AMAZON-02US	false
18.165.220.13	d3aqntjehoyiyc.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
104.86.110.187	unknown	United States	20940	AKAMAI-ASN1EU	false
13.107.42.14	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
34.253.40.242	dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
23.54.81.179	unknown	United States	20940	AKAMAI-ASN1EU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
108.158.75.80	marketing.dropbox.com	United States	16509	AMAZON-02US	false
23.54.81.216	unknown	United States	20940	AKAMAI-ASN1EU	false
46.137.111.148	c.ba.contentsquare.net	Ireland	16509	AMAZON-02US	false
172.217.17.74	unknown	United States	15169	GOOGLEUS	false
64.233.161.84	unknown	United States	15169	GOOGLEUS	false
173.194.220.84	unknown	United States	15169	GOOGLEUS	false
18.165.220.2	d2ib6ufe2caisg.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
172.217.17.70	ad.doubleclick.net	United States	15169	GOOGLEUS	false
182.22.31.252	edge12.g.yimg.jp	Japan	23816	YAHOOYahooJapanCorporationJP	false
162.125.65.18	unknown	United States	19679	DROPBOXUS	false
3.222.162.46	tags.srv.stackadapt.com	United States	14618	AMAZON-AESUS	false
3.164.85.119	configs.knotch.com	United States	16509	AMAZON-02US	false
172.217.17.46	unknown	United States	15169	GOOGLEUS	false
162.125.8.20	d-edge.v.dropbox.com	United States	19679	DROPBOXUS	false
216.58.208.226	adservice.google.com	United States	15169	GOOGLEUS	false
162.125.69.18	www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
104.16.100.29	unknown	United States	13335	CLOUDFLARENETUS	false
162.125.69.16	edge-block-previews-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
162.125.69.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
3.164.85.48	d1byadigbszfki.cloudfront.net	United States	16509	AMAZON-02US	false
104.18.37.212	unknown	United States	13335	CLOUDFLARENETUS	false
192.28.147.68	077-zjt-858.mktoresp.com	United States	53580	MARKETOUS	false
151.101.120.157	platform.twitter.map.fastly.net	United States	54113	FASTLYUS	false
23.218.208.137	unknown	United States	6453	AS6453US	false
13.227.8.50	static.cloud.coveo.com	United States	16509	AMAZON-02US	false
162.125.40.3	static-pdx.v.dropbox.com	United States	19679	DROPBOXUS	false
172.217.21.35	unknown	United States	15169	GOOGLEUS	false
142.250.181.68	unknown	United States	15169	GOOGLEUS	false
172.217.21.36	www.google.com	United States	15169	GOOGLEUS	false
104.16.99.29	unknown	United States	13335	CLOUDFLARENETUS	false
157.240.195.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
142.250.181.66	unknown	United States	15169	GOOGLEUS	false
192.132.33.67	unknown	United States	18568	BIDTELLECTUS	false
34.203.95.94	frontdoor.knotch.it	United States	14618	AMAZON-AESUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
192.132.33.68	bttrack.com	United States	18568	BIDTELLECTUS	false
172.217.19.238	unknown	United States	15169	GOOGLEUS	false
142.250.181.142	google.com	United States	15169	GOOGLEUS	false
88.221.60.75	unknown	European Union	16625	AKAMAI-ASUS	false
52.55.158.206	unknown	United States	14618	AMAZON-AESUS	false
104.244.42.195	s.twitter.com	United States	13414	TWITTERUS	false
142.250.181.104	unknown	United States	15169	GOOGLEUS	false
89.207.16.75	unknown	Sweden	25751	VALUECLICKUS	false
172.64.150.44	js.zi-scripts.com	United States	13335	CLOUDFLARENETUS	false
142.250.181.2	td.doubleclick.net	United States	15169	GOOGLEUS	false
54.75.138.108	unknown	United States	16509	AMAZON-02US	false
157.240.196.15	scontent.xx.fbcdn.net	United States	32934	FACEBOOKUS	false
23.195.39.65	unknown	United States	20940	AKAMAI-ASN1EU	false
18.165.220.110	unknown	United States	3	MIT-GATEWAYSUS	false
172.66.0.227	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.8
192.168.2.4
192.168.2.6
192.168.2.5
192.168.2.17

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569528
Start date and time:	2024-12-05 20:13:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.phis.win@61/253@181/481

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.21.35, 172.217.19.238, 64.233.161.84
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I

LLM Input / Output

Input	Output
URL: https://www.dropbox.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://www.dropbox.com
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "This is a benign performance measurement script that simply records the start time of JavaScript execution using the standard performance.now() API. This is a common and legitimate practice for performance monitoring and analytics. No data transmission, DOM manipulation, or suspicious behavior is present." }
window.EDISON_METRICS_JS_EXECUTION_START = performance.now();
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "This script performs basic performance timing measurement using standard browser APIs (performance.now()) and stores the result in a global variable. It's a legitimate performance monitoring snippet with no data transmission, DOM manipulation, or suspicious behavior. The code is clear, unobfuscated, and follows common telemetry practices." }
(function () { var start = performance.now(); window.addRequireLoadCallback(function() { window.EDISON_METRICS_REQUIRE_LOAD_CALLBACK_TIME = performance.now() - start; }); })();
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "This appears to be legitimate Dropbox file transfer functionality using Edison module for prefetching. The code contains a Base64 encoded URL pointing to dropbox.com (a trusted domain) and includes standard browser user-agent information. While it uses encoding, this is standard practice for data transfer and not obfuscation for malicious purposes." }
window.addRequireLoadCallback(function() { window.require(["js/edison/edison"], function (edisonModule) { edisonModule.Edison.registerStreamedPrefetch("ErUECjpwcml2YWN5X2NvbnNlbnRfZWRpc29uLlByaXZhY3lDb25zZW50RWRpc29uUHJlZmV0Y2hTZXJ2aWNlEhdDQ1BBSWZyYW1lUHJvcHNQcmVmZXRjaBq/AxK8A1LbAWh0dHBzOi8vd3d3LmRyb3Bib3guY29tL3RyYW5zZmVyL0FBQUFBQnVmbEtfLVRUejIwWkFzTXBmdGExM3VvaExEdDNpdlpadTRCUUtFSTcxOXZWQVJHTnM/ZG93bmxvYWRfYWxsPVRydWUmZW1haWxfdHlwZT1TRU5EX0JZX0VNQUlMX1JFQ0lQSUVOVCZmdHJlZj03NGNjY2ZiYjQ0NTllNDg5MTQyMGI3NjEyNGIyNTlhMWMxZTMzYmNlY2E5OGI0ZWYwMzRlN2I0YmE0YmRmYjYyJm9yZWY9ZVrbAWh0dHBzOi8vd3d3LmRyb3Bib3guY29tL3RyYW5zZmVyL0FBQUFBQnVmbEtfLVRUejIwWkFzTXBmdGExM3VvaExEdDNpdlpadTRCUUtFSTcxOXZWQVJHTnM/ZG93bmxvYWRfYWxsPVRydWUmZW1haWxfdHlwZT1TRU5EX0JZX0VNQUlMX1JFQ0lQSUVOVCZmdHJlZj03NGNjY2ZiYjQ0NTllNDg5MTQyMGI3NjEyNGIyNTlhMWMxZTMzYmNlY2E5OGI0ZWYwMzRlN2I0YmE0YmRmYjYyJm9yZWY9ZSoNZmlsZV90cmFuc2ZlcjINdmlld190cmFuc2Zlcg==", "EAEy1AEKb01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTcuMC4wLjAgU2FmYXJpLzUzNy4zNhInMjQyMjgzNjQwMzE4MzA0NjU5OTk4ODg1OTI0NTc1ODg5MDgyOTMwGgw4LjQ2LjEyMy54eHgyAlVTOgZDaHJvbWVCBzExNy4wLjBKB1dpbmRvd3NSDDEwLk5vbmUuTm9uZVgB", false ); }); });
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The code appears to be a legitimate Dropbox file transfer module using Edison framework. While it contains a base64 encoded string (1 point) and makes external requests to dropbox.com (1 point), these are standard practices for Dropbox's file transfer system. The domain (dropbox.com) is trusted, and the code structure follows expected patterns for their service." }
window.addRequireLoadCallback(function() { window.require(["js/edison/edison"], function (edisonModule) { edisonModule.Edison.registerStreamedPrefetch("ErkECjpwcml2YWN5X2NvbnNlbnRfZWRpc29uLlByaXZhY3lDb25zZW50RWRpc29uUHJlZmV0Y2hTZXJ2aWNlEhtQcml2YWN5Q29uc2VudFByb3BzUHJlZmV0Y2gavwMSvANS2wFodHRwczovL3d3dy5kcm9wYm94LmNvbS90cmFuc2Zlci9BQUFBQUJ1ZmxLXy1UVHoyMFpBc01wZnRhMTN1b2hMRHQzaXZaWnU0QlFLRUk3MTl2VkFSR05zP2Rvd25sb2FkX2FsbD1UcnVlJmVtYWlsX3R5cGU9U0VORF9CWV9FTUFJTF9SRUNJUElFTlQmZnRyZWY9NzRjY2NmYmI0NDU5ZTQ4OTE0MjBiNzYxMjRiMjU5YTFjMWUzM2JjZWNhOThiNGVmMDM0ZTdiNGJhNGJkZmI2MiZvcmVmPWVa2wFodHRwczovL3d3dy5kcm9wYm94LmNvbS90cmFuc2Zlci9BQUFBQUJ1ZmxLXy1UVHoyMFpBc01wZnRhMTN1b2hMRHQzaXZaWnU0QlFLRUk3MTl2VkFSR05zP2Rvd25sb2FkX2FsbD1UcnVlJmVtYWlsX3R5cGU9U0VORF9CWV9FTUFJTF9SRUNJUElFTlQmZnRyZWY9NzRjY2NmYmI0NDU5ZTQ4OTE0MjBiNzYxMjRiMjU5YTFjMWUzM2JjZWNhOThiNGVmMDM0ZTdiNGJhNGJkZmI2MiZvcmVmPWUqDWZpbGVfdHJhbnNmZXIyDXZpZXdfdHJhbnNmZXI=", "ChNjb25zZW50LmRyb3Bib3guY29tEgJVUzAB", false ); }); });
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "This appears to be a legitimate RequireJS configuration file from Dropbox's content delivery network (cfl.dropboxstatic.com). It only defines paths for JavaScript modules and sets basic configuration values. No suspicious behaviors, dynamic code execution, or data transmission patterns are present." }
window.__SERVED_BY_EDISON_WEB_SERVER__ = true; var requireConfig = {"baseUrl": "https://cfl.dropboxstatic.com/", "waitSeconds": 30, "paths": {"atlas/file_transfer/view_transfer_bundle_amd/dist/c_abuse_fingerprintjs_component": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_abuse_fingerprintjs_component-vfllvdFxh", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_abuse_funcaptcha_modal": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_abuse_funcaptcha_modal-vflBC6rlP", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_abuse_login_and_register_constants_fetch": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_abuse_login_and_register_constants_fetch-vflzmPIhI", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_accessibility_ax_audit": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_accessibility_ax_audit-vfld9ZPIj", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_account_menu_account_menu_contents": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_account_menu_account_menu_contents-vflzdvUOl", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_activation_data_slices": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_activation_data_slices-vflXRZhQt", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_activation_data_store": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_activation_data_store-vflFESuol", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_admin_console_home_after_display_hooks_log_select_cta.after-display": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_admin_console_home_after_display_hooks_log_select_cta.after-display-vflOFsOLD", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_admin_console_home_after_display_hooks_log_shown_admin_console_home_onboarding_modal.after-display": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_admin_console_home_after_display_hooks_log_shown_admin_console_home_onboarding_modal.after-display-vflTK6UWZ", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_adyen-checkout": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_adyen-checkout-vflcZOMzh", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_adyen_adyen-web_adyen": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_adyen_adyen-web_adyen-vfl2pqe6_", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_api_v2_active_user_client": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_api_v2_active_user_client-vflbHE7ek", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_api_v2_noauth_client": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_api_v2_noauth_client-vflNs_Bqk", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_auth_common_captcha": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_auth_common_captcha-vfl4rt8Bu", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_auth_login_or_register_modal": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_auth_login_or_register_modal-vflrjQTd5", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_bem": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_bem-vflkYApea", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_branding_shared_previews_file_viewer_preview": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_branding_shared_previews_file_viewer_preview-vfla2_kAf", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_browse_uri_interface": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_browse_uri_interface-vflfPbFHE", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_campaign_formats_action_choice_modal": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_campaign_formats_action_choice_modal-vflBjcmIl", "atlas/file_transfer/view_transfer_bundle_amd/dist/c_campaign_formats_banner_campaign_banner": "static/atlas/file_transfer/view_transfer_bundle_amd/dist/c_campaign_formats_banner_campaign_banner-vflXMqay8", "atlas/file_transfer/view_transfer
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The code appears to be a legitimate module loading system with base64 encoded parameters. While encoding can be a red flag, this pattern is common in feature flag/A-B testing systems (like 'Stormcrow'). The code loads from a local path ('js/data_modules/stormcrow') and performs registration with encoded configuration data. No high-risk behaviors like eval() or external data transmission are present." }
window.addRequireLoadCallback(function() { window.require(["js/data_modules/stormcrow"], function (module) { module.Stormcrow.registerAssignment("CicKJXBlcmZfZW5nXzIwMjRfMDVfMjRfdWRjbF9zc2FfZXhwb3J0ZXI=", "CiVwZXJmX2VuZ18yMDI0XzA1XzI0X3VkY2xfc3NhX2V4cG9ydGVyEgNPRkYalQIKGwoVa2V5X2RhdGFfZmllbGRfdmFsdWVzEgJ7fQo1CgxmZWF0dXJlX25hbWUSJXBlcmZfZW5nXzIwMjRfMDVfMjRfdWRjbF9zc2FfZXhwb3J0ZXIKDAoGdmlld2VyEgItMQoUCgZyYW5kb20SCjI1NTgzMjI4MDIKEwoNcG9wdWxhdGlvbl9pZBICMzAKNQoKc2Vzc2lvbl9pZBInMjQyMjgzNjQwMzE4MzA0NjU5OTk4ODg1OTI0NTc1ODg5MDgyOTMwCg4KB3ZhcmlhbnQSA09GRgouCgpyZXF1ZXN0X2lkEiBkMWJkMzBmYjU2YzM0YmY4YTNiNGUwODNlMWJiYjY5NQoPCgtjdXN0b21fdGV4dBIA"); }); });
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script shows analytics behavior with data collection and transmission patterns. While it includes encoded data (base64) and makes external connections to Dropbox domains, these appear to be legitimate analytics tracking parameters. The presence of numerous tracking events and user interaction monitoring warrants some caution, but the domains and behavior patterns align with expected analytics functionality." }
window.addRequireLoadCallback(function() { window.require(["js/edison/edison"], function (edisonModule) { edisonModule.Edison.registerStreamedPrefetch("EpoECiZ1eF9hbmFseXRpY3MuVXhBbmFseXRpY3NFZGlzb25TZXJ2aWNlchIQVXhBbmFseXRpY3NGZXRjaBq/AxK8A1LbAWh0dHBzOi8vd3d3LmRyb3Bib3guY29tL3RyYW5zZmVyL0FBQUFBQnVmbEtfLVRUejIwWkFzTXBmdGExM3VvaExEdDNpdlpadTRCUUtFSTcxOXZWQVJHTnM/ZG93bmxvYWRfYWxsPVRydWUmZW1haWxfdHlwZT1TRU5EX0JZX0VNQUlMX1JFQ0lQSUVOVCZmdHJlZj03NGNjY2ZiYjQ0NTllNDg5MTQyMGI3NjEyNGIyNTlhMWMxZTMzYmNlY2E5OGI0ZWYwMzRlN2I0YmE0YmRmYjYyJm9yZWY9ZVrbAWh0dHBzOi8vd3d3LmRyb3Bib3guY29tL3RyYW5zZmVyL0FBQUFBQnVmbEtfLVRUejIwWkFzTXBmdGExM3VvaExEdDNpdlpadTRCUUtFSTcxOXZWQVJHTnM/ZG93bmxvYWRfYWxsPVRydWUmZW1haWxfdHlwZT1TRU5EX0JZX0VNQUlMX1JFQ0lQSUVOVCZmdHJlZj03NGNjY2ZiYjQ0NTllNDg5MTQyMGI3NjEyNGIyNTlhMWMxZTMzYmNlY2E5OGI0ZWYwMzRlN2I0YmE0YmRmYjYyJm9yZWY9ZSoNZmlsZV90cmFuc2ZlcjINdmlld190cmFuc2Zlcg==", "CAESjTB7InJlcXVlc3RJZCI6ICJkMWJkMzBmYjU2YzM0YmY4YTNiNGUwODNlMWJiYjY5NSIsICJvcmdSZWZlcnJlciI6ICIiLCAiaHR0cFJlZmVycmVyIjogIiIsICJwcmV2aW91c1VybCI6ICIiLCAidmlzaXRJZCI6ICIiLCAiZXZlbnRfbmFtZXMiOiBbImNsaWNrX3NvdXJjZSIsICJkcm9wYm94X2Rvd25sb2FkIiwgInNpZ251cF9tb2RhbF9zaG93biIsICJnb29nbGVfbG9naW5fcmVxdWlyZXNfdHdvX2ZhY3RvciIsICJ6b29tX2NoYXRfbmV0d29ya19mYWlsZWQiLCAic2lnbnVwX3NvdXJjZSIsICJlbWFpbF9zcGxpdF9zaWdudXBfY29udGludWUiLCAiYWRtaW5faG9tZV9jbGllbnRfYmFubmVyX2Rpc21pc3NlZCIsICJhcHBfbmFtZSIsICJlbWFpbF9zaWdudXBfZmFpbGVkIiwgInNpZ251cF9tb2RhbF9kaXNtaXNzZWQiLCAiem9vbV9jaGF0X2lmcmFtZV9sb2FkZWQiLCAiZW1haWxfc2lnbnVwX3N0YXJ0IiwgInV4YV9ldmVudF9jbGFzc2lmaWNhdGlvbl9sZXZlbCIsICJsb2dpbl9tb2RhbF9zaG93biIsICJsb2dpbl9tb2RhbF9kaXNtaXNzZWQiLCAiZWxlbWVudF9oaWRlIiwgImNoYXRfdHlwZSIsICJwdXJjaGFzZV9wcmljZSIsICJleGNlcHRpb25fbWVzc2FnZSIsICJuYXZpZ2F0aW9uX3R5cGUiLCAidXhhX2RlYnVnX3ZlcnNpb24iLCAiYmZjYWNoZV9lbGlnaWJsZSIsICJkaWFsb2dfb3BlbiIsICJhZG1pbl9ob21lX2NsaWVudF9iYW5uZXJfc2hvd24iLCAiZG9jdW1lbnRfb3BlbiIsICJwYXJlbnRfcHJvZHVjdCIsICJmb3JtX2ZpZWxkX2NoYW5nZSIsICJ6b29tX2NoYXRfZW5kZWQiLCAibW9kYWxfY2xvc2UiLCAiaWZyYW1lX3VyaSIsICJnb29nbGVfbG9naW5fZmFpbGVkIiwgImxpbmtfY2xpY2siLCAibGljZW5zZXMiLCAiZWxlbWVudF9jbGljayIsICJjbGlja19iYW5uZXJfc2lnbmluX2VwIiwgImdvb2dsZV9zaWdudXBfc3VjY2VlZGVkIiwgInBsYXRmb3JtIiwgInNpYV9sb2dpbl9yZXF1aXJlc19wYXNzd29yZCIsICJjbGlja190b29sdGlwX3NpZ25pbl9lcCIsICJmaW5hbF9oZWFydGJlYXQiLCAiZ29vZ2xlX3NpZ251cF9zdGFydCIsICJkZXZpY2VfaWQiLCAic2lhX2xvZ2luX3N1Y2NlZWRlZCIsICJ6b29tX2NoYXRfbWluaW1pemVkIiwgImluc3RhbmNlX2V2ZW50X2NvdW50IiwgImVtYWlsX3NpZ251cF9zdWNjZWVkZWQiLCAid2ViX3JlZGVzaWduIiwgImhzX2NhdGVnb3J5IiwgInJlZGlyZWN0X3RvX2Ryb3Bib3hfc21vZGVfc3RvcmVfcGFnZSIsICJoZWFydGJlYXQiLCAiZW1haWxfbG9naW5fc3VjY2VlZGVkIiwgImNhdGVnb3JpZXMiLCAidXhhX2luY2x1c2lvbl9tZXRob2QiLCAiZG9jdW1lbnRfY2xvc2UiLCAic2lhX2xvZ2luX3JlcXVpcmVzX3R3b19mYWN0b3IiLCAiZWxlbWVudF9zaG93biIsICJzdXJmYWNlX3NjcmVlbl9oZWlnaHQiLCAiY2hhdF9pbnRlcmFjdGlvbl90eXBlIiwgInNjcmlwdF91cmwiLCAiZXh0ZXJuYWxfdGFnIiwgInV4LWFuYWx5dGljcyIsICJtb2RhbF9vcGVuIiwgInNob3duX3Rvb2x0aXBfc2lnbmluX2VwIiwgImluc3RhbmNlX2luaXRfdHMiLCAiem9vbV9jaGF0X2luaXRpYXRpb25fZmFpbGVkIiwgInpvb21fY2hhdF9pbml0aWF0aW9uX3N1Y2Nlc3MiLCAiem9vbV9jaGF0X21heGltaXplZCIsICJ6b29tX2NoYXRfcmVxdWVzdGVkIiwgInVzZXJfaW50ZXJhY3RlZCIsICJlbWFpbF9sb2dpbl9yZWRpcmVjdCIsICJldmVudF9kZXRhaWxzIiwgImxpbmtfbm9fc2Vzc2lvbl9zdG9yYWdlIiwgIm1hcmtldGluZ190cmFja2VyX2luY2x1c2lvbl9tZXRob2QiLCAicGFnZV92aWV3IiwgImVtYWlsX2xvZ2luX3JlcXVpcmVzX3R3b19mYWN0b3IiLCAiaHNfbGFiZWwiLCAiZGVmYXVsdF9ub25fY2NwYV90b2dnbGVzX29uIiwgInRvdGFsX3RpbWUiLCAicHJvZHVjdCIsICJwYWdlX3ZpZXdfb3JpZ2luIiwgImdvb2dsZV9zaWdudXBfZmFpbGVkIiwgImRpYWxvZ19jbG9zZSIsICJzY3JvbGxfZXZlbnQiLCAiY3VycmVuY3lfY29kZSIsICJoc19hY3Rpb24iLCAic2NyaXB0X2lkIiwgInN1cmZhY2Vfc2NyZWVuX3dpZHRoIiwgImdvb2dsZV9sb2dpbl9zdGFydCIsICJlbWFpbF9sb2dpbl9mYWlsZWQiLCAiYWRtaW5faG9tZV9jbGllbnRfYmFubmVyX2NsaWNrZWQiLCAiYmlsbGluZ19jeWNsZSIsICJzaG93bl9iYW5uZXJfc2lnbmluX2VwIiwgInNpYV9sb2dpbl9mYWlsZWQiLCAicmVkaXJlY3Rfc3VjY2VzcyIsICJhZG9iZV90YXJnZXRfdmFyaWFudHMiLCAic2Nhbl9zdWNjZXNzIiwgInpvb21fY2hhdF90aW1lb3V0X2ZhaWx1cmUiLCAiZ29vZ2xlX2xvZ2luX3N1Y2NlZWRlZCIsICJ0eXBlIiwgImRyb3Bib3hfcmVzdGFydF9kb3dubG9hZCIsICJlbWFpbF9sb2dp
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The code appears to be a legitimate module loading system with base64 encoded configuration data. While encoding is present, it's used for configuration rather than obfuscation. The code interacts with an internal 'stormcrow' module and registers assignments, which is typical for feature flagging or A/B testing systems. No high-risk behaviors like external data transmission or suspicious redirects are present." }
window.addRequireLoadCallback(function() { window.require(["js/data_modules/stormcrow"], function (module) { module.Stormcrow.registerAssignment("ChoKGHBzX2luZnJhX2xvYWRfZnVuY2FwdGNoYQ==", "Chhwc19pbmZyYV9sb2FkX2Z1bmNhcHRjaGESAk9OGocCCjUKCnNlc3Npb25faWQSJzI0MjI4MzY0MDMxODMwNDY1OTk5ODg4NTkyNDU3NTg4OTA4MjkzMAooCgxmZWF0dXJlX25hbWUSGHBzX2luZnJhX2xvYWRfZnVuY2FwdGNoYQoNCgd2YXJpYW50EgJPTgouCgpyZXF1ZXN0X2lkEiBkMWJkMzBmYjU2YzM0YmY4YTNiNGUwODNlMWJiYjY5NQoPCgtjdXN0b21fdGV4dBIAChQKBnJhbmRvbRIKNDI1NDI1OTc3MAoTCg1wb3B1bGF0aW9uX2lkEgIzMAobChVrZXlfZGF0YV9maWVsZF92YWx1ZXMSAnt9CgwKBnZpZXdlchICLTE="); }); });
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "Script interacts with Dropbox's file transfer service using base64 encoded data. While Dropbox is a trusted domain (+0), the use of encoded parameters (+2) and file transfer functionality (+2) warrants caution. No clear malicious intent but requires monitoring for potential data exfiltration." }
window.addRequireLoadCallback(function() { window.require(["js/edison/edison"], function (edisonModule) { edisonModule.Edison.registerStreamedPrefetch("EoMEChR2aWV3ZXIuVmlld2VyU2VydmljZRILRmV0Y2hWaWV3ZXIavwMSvANS2wFodHRwczovL3d3dy5kcm9wYm94LmNvbS90cmFuc2Zlci9BQUFBQUJ1ZmxLXy1UVHoyMFpBc01wZnRhMTN1b2hMRHQzaXZaWnU0QlFLRUk3MTl2VkFSR05zP2Rvd25sb2FkX2FsbD1UcnVlJmVtYWlsX3R5cGU9U0VORF9CWV9FTUFJTF9SRUNJUElFTlQmZnRyZWY9NzRjY2NmYmI0NDU5ZTQ4OTE0MjBiNzYxMjRiMjU5YTFjMWUzM2JjZWNhOThiNGVmMDM0ZTdiNGJhNGJkZmI2MiZvcmVmPWVa2wFodHRwczovL3d3dy5kcm9wYm94LmNvbS90cmFuc2Zlci9BQUFBQUJ1ZmxLXy1UVHoyMFpBc01wZnRhMTN1b2hMRHQzaXZaWnU0QlFLRUk3MTl2VkFSR05zP2Rvd25sb2FkX2FsbD1UcnVlJmVtYWlsX3R5cGU9U0VORF9CWV9FTUFJTF9SRUNJUElFTlQmZnRyZWY9NzRjY2NmYmI0NDU5ZTQ4OTE0MjBiNzYxMjRiMjU5YTFjMWUzM2JjZWNhOThiNGVmMDM0ZTdiNGJhNGJkZmI2MiZvcmVmPWUqDWZpbGVfdHJhbnNmZXIyDXZpZXdfdHJhbnNmZXI=", "", false ); }); });
URL: https://www.dropbox.com/transfer/AAAAABuflK_-TTz20... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "This appears to be legitimate Dropbox file transfer code using Edison module for prefetching and analytics. It interacts with dropbox.com domain (trusted source) and uses standard module loading patterns. The base64 encoded strings contain standard parameters for file transfers. No malicious indicators present." }
window.addRequireLoadCallback(function() { window.require(["js/edison/edison"], function (edisonModule) { if (edisonModule.Edison.markServerSidePrefetchStarted) { edisonModule.Edison.markServerSidePrefetchStarted(["EpgECiBmaWxlX3RyYW5zZmVyLkZpbGVUcmFuc2ZlckVkaXNvbhIUVmlld1RyYW5zZmVyUHJlZmV0Y2gavwMSvANS2wFodHRwczovL3d3dy5kcm9wYm94LmNvbS90cmFuc2Zlci9BQUFBQUJ1ZmxLXy1UVHoyMFpBc01wZnRhMTN1b2hMRHQzaXZaWnU0QlFLRUk3MTl2VkFSR05zP2Rvd25sb2FkX2FsbD1UcnVlJmVtYWlsX3R5cGU9U0VORF9CWV9FTUFJTF9SRUNJUElFTlQmZnRyZWY9NzRjY2NmYmI0NDU5ZTQ4OTE0MjBiNzYxMjRiMjU5YTFjMWUzM2JjZWNhOThiNGVmMDM0ZTdiNGJhNGJkZmI2MiZvcmVmPWVa2wFodHRwczovL3d3dy5kcm9wYm94LmNvbS90cmFuc2Zlci9BQUFBQUJ1ZmxLXy1UVHoyMFpBc01wZnRhMTN1b2hMRHQzaXZaWnU0QlFLRUk3MTl2VkFSR05zP2Rvd25sb2FkX2FsbD1UcnVlJmVtYWlsX3R5cGU9U0VORF9CWV9FTUFJTF9SRUNJUElFTlQmZnRyZWY9NzRjY2NmYmI0NDU5ZTQ4OTE0MjBiNzYxMjRiMjU5YTFjMWUzM2JjZWNhOThiNGVmMDM0ZTdiNGJhNGJkZmI2MiZvcmVmPWUqDWZpbGVfdHJhbnNmZXIyDXZpZXdfdHJhbnNmZXI=","EpoECiN3ZWJfcGxhdGZvcm0uV2ViUGxhdGZvcm1FZGlzb25GZXRjaBITRWRpc29uRGV2VG9vbHNGZXRjaBq/AxK8A1LbAWh0dHBzOi8vd3d3LmRyb3Bib3guY29tL3RyYW5zZmVyL0FBQUFBQnVmbEtfLVRUejIwWkFzTXBmdGExM3VvaExEdDNpdlpadTRCUUtFSTcxOXZWQVJHTnM/ZG93bmxvYWRfYWxsPVRydWUmZW1haWxfdHlwZT1TRU5EX0JZX0VNQUlMX1JFQ0lQSUVOVCZmdHJlZj03NGNjY2ZiYjQ0NTllNDg5MTQyMGI3NjEyNGIyNTlhMWMxZTMzYmNlY2E5OGI0ZWYwMzRlN2I0YmE0YmRmYjYyJm9yZWY9ZVrbAWh0dHBzOi8vd3d3LmRyb3Bib3guY29tL3RyYW5zZmVyL0FBQUFBQnVmbEtfLVRUejIwWkFzTXBmdGExM3VvaExEdDNpdlpadTRCUUtFSTcxOXZWQVJHTnM/ZG93bmxvYWRfYWxsPVRydWUmZW1haWxfdHlwZT1TRU5EX0JZX0VNQUlMX1JFQ0lQSUVOVCZmdHJlZj03NGNjY2ZiYjQ0NTllNDg5MTQyMGI3NjEyNGIyNTlhMWMxZTMzYmNlY2E5OGI0ZWYwMzRlN2I0YmE0YmRmYjYyJm9yZWY9ZSoNZmlsZV90cmFuc2ZlcjINdmlld190cmFuc2Zlcg==","EooEChhsb2NhbGVqcy5Mb2NhbGVKU1NlcnZpY2USDkZldGNoQ29uc3RhbnRzGr8DErwDUtsBaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vdHJhbnNmZXIvQUFBQUFCdWZsS18tVFR6MjBaQXNNcGZ0YTEzdW9oTER0M2l2Wlp1NEJRS0VJNzE5dlZBUkdOcz9kb3dubG9hZF9hbGw9VHJ1ZSZlbWFpbF90eXBlPVNFTkRfQllfRU1BSUxfUkVDSVBJRU5UJmZ0cmVmPTc0Y2NjZmJiNDQ1OWU0ODkxNDIwYjc2MTI0YjI1OWExYzFlMzNiY2VjYTk4YjRlZjAzNGU3YjRiYTRiZGZiNjImb3JlZj1lWtsBaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vdHJhbnNmZXIvQUFBQUFCdWZsS18tVFR6MjBaQXNNcGZ0YTEzdW9oTER0M2l2Wlp1NEJRS0VJNzE5dlZBUkdOcz9kb3dubG9hZF9hbGw9VHJ1ZSZlbWFpbF90eXBlPVNFTkRfQllfRU1BSUxfUkVDSVBJRU5UJmZ0cmVmPTc0Y2NjZmJiNDQ1OWU0ODkxNDIwYjc2MTI0YjI1OWExYzFlMzNiY2VjYTk4YjRlZjAzNGU3YjRiYTRiZGZiNjImb3JlZj1lKg1maWxlX3RyYW5zZmVyMg12aWV3X3RyYW5zZmVy","Eo0EChl0aW1lX3ByZWYuVGltZVByZWZTZXJ2aWNlEhBUaW1lUHJlZlByZWZldGNoGr8DErwDUtsBaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vdHJhbnNmZXIvQUFBQUFCdWZsS18tVFR6MjBaQXNNcGZ0YTEzdW9oTER0M2l2Wlp1NEJRS0VJNzE5dlZBUkdOcz9kb3dubG9hZF9hbGw9VHJ1ZSZlbWFpbF90eXBlPVNFTkRfQllfRU1BSUxfUkVDSVBJRU5UJmZ0cmVmPTc0Y2NjZmJiNDQ1OWU0ODkxNDIwYjc2MTI0YjI1OWExYzFlMzNiY2VjYTk4YjRlZjAzNGU3YjRiYTRiZGZiNjImb3JlZj1lWtsBaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vdHJhbnNmZXIvQUFBQUFCdWZsS18tVFR6MjBaQXNNcGZ0YTEzdW9oTER0M2l2Wlp1NEJRS0VJNzE5dlZBUkdOcz9kb3dubG9hZF9hbGw9VHJ1ZSZlbWFpbF90eXBlPVNFTkRfQllfRU1BSUxfUkVDSVBJRU5UJmZ0cmVmPTc0Y2NjZmJiNDQ1OWU0ODkxNDIwYjc2MTI0YjI1OWExYzFlMzNiY2VjYTk4YjRlZjAzNGU3YjRiYTRiZGZiNjImb3JlZj1lKg1maWxlX3RyYW5zZmVyMg12aWV3X3RyYW5zZmVy","EoMEChR2aWV3ZXIuVmlld2VyU2VydmljZRILRmV0Y2hWaWV3ZXIavwMSvANS2wFodHRwczovL3d3dy5kcm9wYm94LmNvbS90cmFuc2Zlci9BQUFBQUJ1ZmxLXy1UVHoyMFpBc01wZnRhMTN1b2hMRHQzaXZaWnU0QlFLRUk3MTl2VkFSR05zP2Rvd25sb2FkX2FsbD1UcnVlJmVtYWlsX3R5cGU9U0VORF9CWV9FTUFJTF9SRUNJUElFTlQmZnRyZWY9NzRjY2NmYmI0NDU5ZTQ4OTE0MjBiNzYxMjRiMjU5YTFjMWUzM2JjZWNhOThiNGVmMDM0ZTdiNGJhNGJkZmI2MiZvcmVmPWVa2wFodHRwczovL3d3dy5kcm9wYm94LmNvbS90cmFuc2Zlci9BQUFBQUJ1ZmxLXy1UVHoyMFpBc01wZnRhMTN1b2hMRHQzaXZaWnU0QlFLRUk3MTl2VkFSR05zP2Rvd25sb2FkX2FsbD1UcnVlJmVtYWlsX3R5cGU9U0VORF9CWV9FTUFJTF9SRUNJUElFTlQmZnRyZWY9NzRjY2NmYmI0NDU5ZTQ4OTE0MjBiNzYxMjRiMjU5YTFjMWUzM2JjZWNhOThiNGVmMDM0ZTdiNGJhNGJkZmI2MiZvcmVmPWUqDWZpbGVfdHJhbnNmZXIyDXZpZXdfdHJhbnNmZXI=","ErUECjpwcml2YWN5X2NvbnNlbnRfZWRpc29uLlByaXZhY3lDb25zZW50RWRpc29uUHJlZmV0Y2hTZXJ2aWNlEhdDQ1BBSWZyYW1lUHJvcHNQcmVmZXRjaBq/AxK8A1LbAWh0dHBzOi8vd3d3LmRyb3Bib3guY29tL3RyYW5zZmVyL0FBQUFBQnVmbEtfLVRUejIwWkFzTXBmdGExM3
URL: file:///C:/Users/user/Downloads/Care%20Systems%20Services%20LTD.pdf Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "VIEW DOCUMENT HERE", "prominent_button_name": "VIEW DOCUMENT HERE", "text_input_field_labels": "unknown", "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: file:///C:/Users/user/Downloads/Care%20Systems%20Services%20LTD.pdf Model: Joe Sandbox AI	{ "brands": [ "Automated Logic" ] }
	{ "brands": [ "Automated Logic" ] }
URL: https://whitespotfitness.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://whitespotfitness.com

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.186025365276797
Encrypted:	false
SSDEEP:
MD5:	3AC10117044DC1C483C5B12E6DA16E6E
SHA1:	853EE383D7A57633D1BD16F247CD93F711BF33E2
SHA-256:	30E5E5CB3473A0817B3A8E2CD9ABF8E24EE8D336E11C262A5B64356F8BBC710B
SHA-512:	FB51B5BA940A6BAFD5707F21150CE86E58220E76002504C8C2C3A3B22A2EAEEA63E600AD8B5E06494843D30C26B45D491A25868DC189800F98FBA604E8DE2F7F
Malicious:	false
Reputation:	unknown
Preview:	2024/12/05-14:15:23.015 3d8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/05-14:15:23.018 3d8 Recovering log #3.2024/12/05-14:15:23.018 3d8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PDF document, version 1.7, 1 pages
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BB43652F4D4AF9F57B90FCA2FE8E6794
SHA1:	49450EBD398CB97BD150EC39E0C121DFF41DD651
SHA-256:	65B77F77E0CC4C31D82459BA14963FDA8CCCBA3D8471221E87D323472C6521A0
SHA-512:	6B080BB127F347D599F3B68A97820039D4204B75D70CD3F8ECF3DE9180C376B562D44A9E00D53693073DF1C0755AE85D3D51978E5E2A3E4E37959EEBBE4C2405
Malicious:	false
Reputation:	unknown
Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 38 0 R/MarkInfo<</Marked true>>/Metadata 124 0 R/ViewerPreferences 125 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 1/Kids[ 3 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 20 0 R/F5 25 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/XObject<</Image31 31 0 R/Image32 32 0 R/Image34 34 0 R/Image35 35 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/Annots[ 19 0 R 30 0 R 33 0 R] /MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 2152>>..stream..x..Z[o.6.~7......9......v....nR... H.}Hv....3C..FJ:>..........E.}{....m+....+.H..A.)...Q...~.Q\|....p}u..._\|.r}.H$..mC.Vx.....H..{...O.Q<.[.?]_...e..?..?...p..]_.!...l.P6K.X.......A......B.\.g.X.%G...F..T.m.J..A...`.jo..R*......q.&..l......#..5....G$.#~....jBT.......4fOA..H.O.)\|.U....G..

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Software Vulnerabilities

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

C:\Users\user\AppData\Local\Temp\MSId47c2.LOG

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-05 14-15-24-636.log

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

C:\Users\user\AppData\Local\Temp\acrocef_low\3554e112-2a27-4183-9677-9ffab0beb8a2.tmp

C:\Users\user\AppData\Local\Temp\acrocef_low\6d0c980e-2de6-40a9-b38c-7f4270c8d057.tmp

C:\Users\user\AppData\Local\Temp\acrocef_low\856d26ee-4815-4322-bd04-63899cdd49db.tmp

C:\Users\user\AppData\Local\Temp\acrocef_low\89acf006-b074-4cf7-933b-8fd7440420fe.tmp

Windows Analysis Report
https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I