Edit tour

Windows Analysis Report
https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip

Overview

General Information

Sample URL:	https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip
Analysis ID:	1587408
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Downloads suspicious files via Chrome

Writes a notice file (html or txt) to demand a ransom

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Detected suspicious crossdomain redirect

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3872 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2840 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2476,i,8198650963386273841,13647284136402883920,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

unarchiver.exe (PID: 6848 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\PingCastle_3.3.0.1.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6876 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp" "C:\Users\user\Downloads\PingCastle_3.3.0.1.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6952 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Acrobat.exe (PID: 7032 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6396 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 6196 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,8144944481098509710,6803883750261835604,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 6544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastleAutoUpdater.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastle.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastle.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\license.rtf

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: costura.pingcastlecommon.pdb.compressed source: PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: costura.pingcastlecommon.pdb.compressed\|\|\|PingCastleCommon.pdb\|7DDD915C227E121D4CB3B1789518B6FD23A0336B\|8392 source: PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: PingCastle.exe.6.dr
Source:	Binary string: costura.pingcastlecommon.pdb.compressed\|\|\|PingCastleCommon.pdb\|152C3DEDC015FD0112599238C3853C7E1F051465\|8392 source: PingCastle.exe.6.dr
Source:	Binary string: D:\a\1\s\obj\release\PingCastle.pdb source: PingCastle.exe.6.dr
Source:	Binary string: D:\a\1\s\PingCastleAutoUpdater\obj\release\PingCastleAutoUpdater.pdb- source: PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: D:\a\1\s\obj\release\PingCastle.pdbD@)^@) P@)_CorExeMainmscoree.dll source: PingCastle.exe.6.dr
Source:	Binary string: newtonsoft.jsonMcostura.newtonsoft.json.dll.compressed!pingcastlecommonOcostura.pingcastlecommon.dll.compressedOcostura.pingcastlecommon.pdb.compressed source: PingCastle.exe.6.dr
Source:	Binary string: <Run>b__8_0<>9__8_1<Run>b__8_1IEnumerable`1IOrderedEnumerable`1ReadOnlyCollection`1IEnumerator`1List`1Int32<>9__8_2<Run>b__8_2Func`2Dictionary`2get_UTF8<>9<Module>System.IOGETCosturacostura.metadatamscorlib<>cSystem.Collections.GenericReadLoadforceDownloadfileNameLastDownloadAddWriteInRedisAttachedInterlockedcostura.costura.pdb.compressedcostura.pingcastlecommon.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.pingcastlecommon.dll.compressed<name>k__BackingField<prerelease>k__BackingField<size>k__BackingField<browser_download_url>k__BackingField<assets>k__BackingField<published_at>k__BackingFieldReadToEndTracesourceZipArchiveModeCompressionModeExchangenullCacheEnumerableIDisposableFileConsoleget_Nameget_FullNamefullNameGetNamerequestedAssemblyNameGetDirectoryNameget_nameset_nameDateTimeWriteLineSecurityProtocolTypeCompareWhereSystem.Corecultureget_CodeBaseReleaseget_prereleaseset_prereleaseget_ResponseWebResponseGetResponseCloseDisposeTryParseCreateDeleteWriteCompilerGeneratedAttributeGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteTryGetValuevalueZipArchiveadd_AssemblyResolveMovePingCastleAutoUpdater.exeDeserializeget_sizeset_sizeSystem.ThreadingOrderByDescendingGetEncodingSystem.Runtime.VersioningCultureToStringAttachget_LocalPathGetFullPathget_LengthEndsWithUrinullCacheLockCheckPathTraversalSystem.Collections.ObjectModelProceedReleaseInstallget_SecurityProtocolset_SecurityProtocolreleaseInfoUrlget_browser_download_urlset_browser_download_urlReadStreamLoadStreamGetManifestResourceStreamFileStreamGetResponseStreamDeflateStreamMemoryStreamstreamProgramset_ItemSystemop_LessThanOpenMainAppDomainget_CurrentDomainget_VersionFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.Web.Script.SerializationSystem.Reflectionset_PositionWebExceptionPingCastleCommonStringComparisonRunCopyToget_CultureInfoDisplayHelpSystem.LinqStreamReaderTextReaderAssemblyLoadersenderServicePointManagerResolveEventHandlerPingCastleAutoUpdaterEnterJavaScriptSerializerset_ForegroundColorConsoleColorResetColorFilesValidatorIEnumeratorGetEnumerator.ctor.cctorMonitorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesget_EntriesresourceNamessymbolNamesassemblyNamesget_FlagsAssemblyNameFlagsResolveEventArgsargsEqualsSystem.Web.ExtensionsSystem.Collectionsget_assetsset_assetsExistsAddDaysget_published_atset_published_atConcatObjectSystem.NetAssetExitToLowerInvariantset_UserAgentEnvironmentget_CurrentCountHttpWebRequestFirstMoveNextSystem.TextReadAllTextWriteAllTextpreviewget_NownumberOfDaysToWayPingCastleAutoUpdater_ProcessedByFodyConta
Source:	Binary string: costura.costura.pdb.compressed source: PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: D:\a\1\s\PingCastleAutoUpdater\obj\release\PingCastleAutoUpdater.pdb source: PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed!pingcastlecommonOcostura.pingcastlecommon.dll.compressedOcostura.pingcastlecommon.pdb.compressedGsystem.diagnostics.diagnosticsourceucostura.system.diagnostics.diagnosticsource.dll.compressedlDd source: PingCastleAutoUpdater.exe.6.dr

Networking

Yara detected Generic Downloader

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastle.exe, type: DROPPED

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: github.com to https://objects.githubusercontent.com/github-production-release-asset-2e65be/146924413/3bc39ae0-06ab-46ba-9145-597f72315fc8?x-amz-algorithm=aws4-hmac-sha256&x-amz-credential=releaseassetproduction%2f20250110%2fus-east-1%2fs3%2faws4_request&x-amz-date=20250110t095439z&x-amz-expires=300&x-amz-signature=7baf7e0309ddde41fc38b6583aff69974df729cb65205dc720c7b02c0841e8d5&x-amz-signedheaders=host&response-content-disposition=attachment%3b%20filename%3dpingcastle_3.3.0.1.zip&response-content-type=application%2foctet-stream

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip HTTP/1.1Host: github.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/146924413/3bc39ae0-06ab-46ba-9145-597f72315fc8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250110T095439Z&X-Amz-Expires=300&X-Amz-Signature=7baf7e0309ddde41fc38b6583aff69974df729cb65205dc720c7b02c0841e8d5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPingCastle_3.3.0.1.zip&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: <</IsMap false/S/URI/URI(https://www.facebook.com/Netwrix)>> equals www.facebook.com (Facebook)
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: <</IsMap false/S/URI/URI(https://www.linkedin.com/company/455932/)>> equals www.linkedin.com (Linkedin)
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: <</IsMap false/S/URI/URI(https://www.youtube.com/Netwrix)>> equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: PingCastle.exe.6.dr	String found in binary or memory: http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: PingCastle.exe.6.dr	String found in binary or memory: http://gary-nebbett.blogspot.com/2020/01/ldap-channel-binding.html
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: http://netwrix.com/ADSecurity)
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: http://netwrix.com/active-directory-risk-assessment.html)
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: PingCastle.exe.6.dr	String found in binary or memory: http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/GetCompanyDirSyncFeaturesResponsee
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/GetCompanyDirSyncFeaturesT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/GetCompanyInformationResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/GetCompanyInformationT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListDomainsResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListDomainsT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListRoleMembersResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListRoleMembersT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListRolesResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListRolesT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListUsersByStrongAuthenticationRespo
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListUsersByStrongAuthenticationT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListUsersResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/ListUsersT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/NavigateUserResultsResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/IProvisioningWebService/NavigateUserResultsT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://provisioning.microsoftonline.com/T
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServiceV
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServiced
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServicet
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServiceu
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService~
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.AdministrationN
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.AdministrationS
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationk
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationo
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationr
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationt
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationu
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationx
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationz
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml.LinqT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/EnumerateResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/EnumerateT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/GetStatusResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/GetStatusT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/PullResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/PullT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/ReleaseResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/ReleaseT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/RenewResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/RenewT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/faultT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumerationT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumerationW
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/GetT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/PutResponse
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/PutT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/faultT
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer5
Source: PingCastle.exe.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transferT
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: http://visjs.org/)
Source: 7za.exe, 00000006.00000003.1882211132.0000000002420000.00000004.00000800.00020000.00000000.sdmp, PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: PingCastle.exe.6.dr	String found in binary or memory: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
Source: PingCastle.exe.6.dr	String found in binary or memory: http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/
Source: 2D85F72862B55C4EADD9E66E06947F3D0.11.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: PingCastle.exe.6.dr	String found in binary or memory: http://xxx/certsrv/certrqxt.asp
Source: PingCastle.exe.6.dr	String found in binary or memory: http://xxx/yyy_CES_Kerberos/services.svc
Source: PingCastle.exe.6.dr	String found in binary or memory: https://access.redhat.com/articles/4661861
Source: PingCastle.exe.6.dr	String found in binary or memory: https://access.redhat.com/discussions/1283873
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=1405
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=1667
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=2604
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=3299
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=3377
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=3466
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=376
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=4056
Source: PingCastle.exe.6.dr	String found in binary or memory: https://adsecurity.org/?p=4115
Source: PingCastleAutoUpdater.exe.6.dr	String found in binary or memory: https://api.github.com/repos/netwrix/pingcastle/releases
Source: PingCastle.exe.6.dr	String found in binary or memory: https://attack.mitre.org/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://attack.mitre.org/mitigations/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://attack.mitre.org/techniques/9Mitre
Source: PingCastle.exe.6.dr	String found in binary or memory: https://azurecloudai.blog/2019/10/01/laps-security-concern-computers-joiners-are-able-to-see-laps-pa
Source: PingCastle.exe.6.dr	String found in binary or memory: https://blog.0patch.com/2021/11/micropatch-for-remote-code-execution-by.html
Source: PingCastle.exe.6.dr	String found in binary or memory: https://blog.andreas-schreiner.de/2018/09/07/active-directory-sicherheit-teil-1-privilegierte-benutz
Source: PingCastle.exe.6.dr	String found in binary or memory: https://blog.lithnet.io/2018/12/disabling-unauthenticated-binds-in.html
Source: PingCastle.exe.6.dr	String found in binary or memory: https://blog.netwrix.com/2015/02/20/add-sensitive-user-accounts-to-active-directory-protected-users-
Source: PingCastle.exe.6.dr	String found in binary or memory: https://blog.nviso.eu/2023/12/08/rpc-or-not-here-we-log-preventing-exploitation-and-abuse-with-rpc-f
Source: PingCastle.exe.6.dr	String found in binary or memory: https://blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8
Source: PingCastle.exe.6.dr	String found in binary or memory: https://blog.stealthbits.com/resource-based-constrained-delegation-abuse/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://bootstrap-table.com/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://bugs.chromium.org/p/project-zero/issues/detail?id=2186
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: https://community.spiceworks.com/pages/NetWrix)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://community.spiceworks.com/t/are-redirected-printers-a-security-risk/826344/27
Source: PingCastle.exe.6.dr	String found in binary or memory: https://crocs.fi.muni.cz/public/papers/rsa_ccs17
Source: PingCastle.exe.6.dr	String found in binary or memory: https://csrc.nist.gov/publications/detail/fips/186/5/draft
Source: PingCastle.exe.6.dr	String found in binary or memory: https://cyber.gouv.fr/sites/default/files/IMG/pdf/NP_ActiveDirectory_NoteTech.pdf
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://datatables.net/)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc2713
Source: PingCastle.exe.6.dr	String found in binary or memory: https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://dirteam.com/sander/2008/12/09/active-directory-visibility-modes/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://dirteam.com/sander/2011/07/13/preventing-ous-and-containers-from-accidental-deletion/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-
Source: PingCastle.exe.6.dr	String found in binary or memory: https://dirteam.com/sander/2021/08/10/two-new-azure-ad-connect-versions-were-released-to-prevent-mit
Source: PingCastle.exe.6.dr	String found in binary or memory: https://docs.oracle.com/cd/E19424-01/820-4813/6ng8jv82s/index.html
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://editor.swagger.io/?url=https://gist.githubusercontent.com/vletoux/c6c565c8af07b4df5df65ed01f
Source: PingCastle.exe.6.dr	String found in binary or memory: https://enterinit.com/powershell-enable-active-directory-recycle-bin
Source: PingCastle.exe.6.dr	String found in binary or memory: https://getbootstrap.com/
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://getbootstrap.com/)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://gist.github.com/IISResetMe/399a75cfccabc1a17d0cc3b5ae29f3aa#file-update-msexchstoragegroupsc
Source: PingCastle.exe.6.dr	String found in binary or memory: https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb#rpc-to-rce-steps
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://gist.githubusercontent.com/vletoux/c6c565c8af07b4df5df65ed01ffeb917/raw/fca7a288050b7b17ba60
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/ANSSI-FR/AD-control-paths
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/BloodHoundAD/BloodHound
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/GoSecure/WSuspicious
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/hybrid/connect/tshoo
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/PSSecTools/Krbtgt
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/crocs-muni/roca
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/daem0nc0re/PrivFu#privilegedoperations
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/daem0nc0re/PrivFu/blob/main/PrivilegedOperations/SeTrustedCredManAccessPrivilegeP
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/decoder-it/psgetsystem
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/Fix-DomainObjectDACL.ps1
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/lgandx/Responder-Windows
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/microsoft/New-KrbtgtKeys.ps1
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/misterch0c/shadowbroker/tree/master/windows/exploits
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/netwrix/pingcastle/issues
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/nsacyber/Pass-the-Hash-Guidance
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/p0dalirius/Coercer
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/p0w3rsh3ll/NetCease
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/pimps/wsuxploit
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/zeronetworks/rpcfirewall
Source: PingCastle.exe.6.dr	String found in binary or memory: https://github.com/zyn3rgy/LdapRelayScan
Source: PingCastle.exe.6.dr	String found in binary or memory: https://graph.windows.net
Source: PingCastle.exe.6.dr	String found in binary or memory: https://graph.windows.net/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://helpcenter.netwrix.com/category/pingcastle
Source: PingCastle.exe.6.dr	String found in binary or memory: https://isc.sans.edu/diary/Controlling
Source: PingCastle.exe.6.dr	String found in binary or memory: https://itpro-tips.com/wp-content/uploads/files/TechnetGallery/Azure-AD-SSO-Key-Rollover-d2f1604a.zi
Source: PingCastle.exe.6.dr	String found in binary or memory: https://itpro-tips.com/wp-content/uploads/files/TechnetGallery/Enterprise-Key-Admins-720eb270.zip
Source: PingCastle.exe.6.dr	String found in binary or memory: https://jquery.org/
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://jquery.org/)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://keychest.net/roca
Source: PingCastle.exe.6.dr	String found in binary or memory: https://labs.withsecure.com/publications/how-to-own-any-windows-network-with-group-policy-hijacking-
Source: PingCastle.exe.6.dr	String found in binary or memory: https://login.microsoftonline.com/common/GetCredentialTypeshttps://login.microsoftonline.com/GetUser
Source: PingCastle.exe.6.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
Source: PingCastle.exe.6.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/token
Source: PingCastle.exe.6.dr	String found in binary or memory: https://login.microsoftonline.com/organizations/oauth2/nativeclient
Source: PingCastle.exe.6.dr	String found in binary or memory: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorizeAhttps://login.microsoftonline.
Source: PingCastle.exe.6.dr	String found in binary or memory: https://login.microsoftonline.com/rhttps://login.microsoftonline.com/common/oauth2/authorizejhttps:/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://login.windows.net/xxxxx/.well-known/openid-configuration
Source: PingCastle.exe.6.dr	String found in binary or memory: https://main.iam.ad.ext.azure.com/api/Directories/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://management.azure.com/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://management.core.windows.net/
Source: PingCastle.exe.6.dr, changelog.txt.6.dr	String found in binary or memory: https://medium.com/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Activ
Source: PingCastle.exe.6.dr	String found in binary or memory: https://outlook.office365.com/adminapi/beta/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://outlook.office365.comChttps://login.microsoftonline.com/organizations/oauth2/nativeclient
Source: PingCastle.exe.6.dr	String found in binary or memory: https://oxfordcomputergroup.com/resources/ldap-channel-binding-signing-requirements/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://popper.js.org/
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://popper.js.org/)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://posts.specterops.io/certified-pre-owned-d95910965cd2
Source: PingCastle.exe.6.dr	String found in binary or memory: https://provisioningapi.microsoftonline.com/provisioningwebservice.svc
Source: PingCastle.exe.6.dr	String found in binary or memory: https://provisioningapi.microsoftonline.com/provisioningwebservice.svc%UserIdentityHeaderQhttp://pro
Source: PingCastle.exe.6.dr	String found in binary or memory: https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e09
Source: PingCastle.exe.6.dr	String found in binary or memory: https://rickardnobel.se/verify-redirected-computers-container-in-active-directory/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://secureidentity.se/adprep-bug-in-windows-server-2016/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://specterops.io/blog/2023/01/25/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://stat.pingcastle.com/Benchmark
Source: PingCastle.exe.6.dr	String found in binary or memory: https://sts.windows.net/3Exception
Source: PingCastle.exe.6.dr	String found in binary or memory: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04197764-1
Source: PingCastle.exe.6.dr	String found in binary or memory: https://syfuhs.net/lessons-in-disabling-rc4-in-active-directoryEThis
Source: PingCastle.exe.6.dr	String found in binary or memory: https://talubu.wordpress.com/2018/02/28/configuring-unc-hardened-access-through-group-policy/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://tldrlegal.com/license/mit-license
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://tldrlegal.com/license/mit-license)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://tools.ietf.org/html/rfc6150
Source: PingCastle.exe.6.dr	String found in binary or memory: https://tools.ietf.org/html/rfc6194
Source: PingCastle.exe.6.dr	String found in binary or memory: https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022
Source: PingCastle.exe.6.dr	String found in binary or memory: https://twitter.com/0gtweet/status/1303427935647531018?s=20
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: https://twitter.com/netwrix)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://woshub.com/remote-desktop-session-time-limit/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.alitajran.com/exchange-schema-versions/#Exchange
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-R
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.cert.ssi.gouv.fr/actualite/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.cert.ssi.gouv.fr/alerte/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.cert.ssi.gouv.fr/dur/CERTFR-2020-DUR-001/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.cert.ssi.gouv.fr/information/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html#vuln_
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html#vuln_3
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-service
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.gradenegger.eu/?p=1132
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/commercia
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: https://www.instagram.com/netwrix/)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.kb.cert.org/vuls/id/836068
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: https://www.linkedin.com/company/455932/)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: https://www.netwrix.com/social_communities.html)
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: https://www.netwrix.com/social_communities.html?utm_source=content&utm_medium=guide&utm_campaign=win
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.netwrix.com/support.html
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.petri.com/active-directory-security-understanding-adminsdholder-object
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.pingcastle.com
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://www.pingcastle.com/PingCastleFiles/ad_hc_summary.html)
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://www.pingcastle.com/PingCastleFiles/ad_hc_summary_full_node_map.html)
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://www.pingcastle.com/PingCastleFiles/ad_hc_summary_simple_node_map.html)
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://www.pingcastle.com/methodology/)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.pingcastle.com/reports/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.pingcastle.com/services/
Source: PingCastle v3.0.0.pdf.6.dr	String found in binary or memory: https://www.pingcastle.com/wp/wp-content/uploads/2018/09/pingcastle-methodology.png)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.pingcastle.com;
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-envi
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.romhack.io/slides/RomHack%202018%20-%20Andrea%20Pierini%20-%20whoami%20priv%20-%20show%2
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.sans.org/reading-room/whitepapers/windows/null-sessions-nt-2000-286
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.securityinsider-wavestone.com/2020/01/taking-over-windows-workstations-pxe-laps.html
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.semperis.com/blog/active-directory-security-abusing-display-specifiers/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.sentinelone.com/labs/relaying-potatoes-another-unexpected-privilege-escalation-vulnerabi
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lcr/mu04c.pdf
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.ssi.gouv.fr/guide/cryptographie-les-regles-du-rgs/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.stigviewer.com/stig/active_directory_domain/2017-12-15/finding/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.stigviewer.com/stig/active_directory_forest/2016-12-19/finding/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.stigviewer.com/stig/active_directory_service_2003/2011-05-20/finding/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.stigviewer.com/stig/active_directory_service_2008/2011-05-23/finding/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.stigviewer.com/stig/windows_2008_member_server/2018-03-07/finding/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.stigviewer.com/stig/windows_7/2012-08-22/finding/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.vkernel.ro/blog/installing-and-configuring-cep-and-ces-for-certificate-enrolling-on-non-
Source: PingCastle.exe.6.dr	String found in binary or memory: https://www.ws-its.de/gegenmassnahme-zum-angriff-dns-wildcard/
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	String found in binary or memory: https://www.youtube.com/Netwrix)
Source: PingCastle.exe.6.dr	String found in binary or memory: https://xxx/certsrv/certrqxt.asp
Source: PingCastle.exe.6.dr	String found in binary or memory: https://xxx/yyy_CES_Kerberos/service.svc
Source: PingCastle.exe.6.dr	String found in binary or memory: https://youtu.be/Fg2gvk0qgjM

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Windows\SysWOW64\7za.exe

File dropped: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\changelog.txt -> decryption process was broken as successful descryption always triggered a failure* fix s-dc-subnetmissing when subnet are duplicated (contains cnf and generated from replication problem)* fix nt4 mismatch if the year was not present and include the word "datacenter"* add a check for "smart card required" for administrator accounts* reworked the menu to be more interactive2.5.0.0* rewrote all rules description / rationale / etc* added start and end date for exception* breaking: change the date at which the exception / migration is evaluated from current date to report generation date* new rules: a-smb2signaturenotenabled a-smb2signaturenotrequired s-dc-subnetmissing p-delegationloginscript* added an experimental scanner for replication usn check* allows dns admin group to be moved to another ou than cn=users (as a reminder, the group is selected based on its description)* fix logon logoff script label inverted* allow users to be in the guest group for their primary group (was domai

Jump to dropped file

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\PingCastle_3.3.0.1.zip (copy)

Jump to dropped file

Source: PingCastleAutoUpdater.exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal56.rans.troj.evad.win@41/59@8/5

Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: http://netwrix.com/active-directory-risk-assessment.html
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: http://netwrix.com/ADSecurity
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://www.youtube.com/netwrix
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://community.spiceworks.com/pages/NetWrix
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://www.facebook.com/Netwrix
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://www.youtube.com/Netwrix
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://community.spiceworks.com/pages/netwrix
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://www.netwrix.com/social_communities.html
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://twitter.com/netwrix
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://www.linkedin.com/company/455932/
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://www.instagram.com/netwrix/
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://www.facebook.com/netwrix
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: http://netwrix.com/adsecurity
Source: Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	Initial sample: https://www.netwrix.com/social_communities.html?utm_source=content&utm_medium=guide&utm_campaign=windows-server-hardening-checklist

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\637beebf-6d79-452d-be89-3db27af0e04d.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2476,i,8198650963386273841,13647284136402883920,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\PingCastle_3.3.0.1.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp" "C:\Users\user\Downloads\PingCastle_3.3.0.1.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,8144944481098509710,6803883750261835604,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2476,i,8198650963386273841,13647284136402883920,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\PingCastle_3.3.0.1.zip"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp" "C:\Users\user\Downloads\PingCastle_3.3.0.1.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,8144944481098509710,6803883750261835604,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\crash_reporter.cfg

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: costura.pingcastlecommon.pdb.compressed source: PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: costura.pingcastlecommon.pdb.compressed\|\|\|PingCastleCommon.pdb\|7DDD915C227E121D4CB3B1789518B6FD23A0336B\|8392 source: PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: PingCastle.exe.6.dr
Source:	Binary string: costura.pingcastlecommon.pdb.compressed\|\|\|PingCastleCommon.pdb\|152C3DEDC015FD0112599238C3853C7E1F051465\|8392 source: PingCastle.exe.6.dr
Source:	Binary string: D:\a\1\s\obj\release\PingCastle.pdb source: PingCastle.exe.6.dr
Source:	Binary string: D:\a\1\s\PingCastleAutoUpdater\obj\release\PingCastleAutoUpdater.pdb- source: PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: D:\a\1\s\obj\release\PingCastle.pdbD@)^@) P@)_CorExeMainmscoree.dll source: PingCastle.exe.6.dr
Source:	Binary string: newtonsoft.jsonMcostura.newtonsoft.json.dll.compressed!pingcastlecommonOcostura.pingcastlecommon.dll.compressedOcostura.pingcastlecommon.pdb.compressed source: PingCastle.exe.6.dr
Source:	Binary string: <Run>b__8_0<>9__8_1<Run>b__8_1IEnumerable`1IOrderedEnumerable`1ReadOnlyCollection`1IEnumerator`1List`1Int32<>9__8_2<Run>b__8_2Func`2Dictionary`2get_UTF8<>9<Module>System.IOGETCosturacostura.metadatamscorlib<>cSystem.Collections.GenericReadLoadforceDownloadfileNameLastDownloadAddWriteInRedisAttachedInterlockedcostura.costura.pdb.compressedcostura.pingcastlecommon.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.pingcastlecommon.dll.compressed<name>k__BackingField<prerelease>k__BackingField<size>k__BackingField<browser_download_url>k__BackingField<assets>k__BackingField<published_at>k__BackingFieldReadToEndTracesourceZipArchiveModeCompressionModeExchangenullCacheEnumerableIDisposableFileConsoleget_Nameget_FullNamefullNameGetNamerequestedAssemblyNameGetDirectoryNameget_nameset_nameDateTimeWriteLineSecurityProtocolTypeCompareWhereSystem.Corecultureget_CodeBaseReleaseget_prereleaseset_prereleaseget_ResponseWebResponseGetResponseCloseDisposeTryParseCreateDeleteWriteCompilerGeneratedAttributeGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteTryGetValuevalueZipArchiveadd_AssemblyResolveMovePingCastleAutoUpdater.exeDeserializeget_sizeset_sizeSystem.ThreadingOrderByDescendingGetEncodingSystem.Runtime.VersioningCultureToStringAttachget_LocalPathGetFullPathget_LengthEndsWithUrinullCacheLockCheckPathTraversalSystem.Collections.ObjectModelProceedReleaseInstallget_SecurityProtocolset_SecurityProtocolreleaseInfoUrlget_browser_download_urlset_browser_download_urlReadStreamLoadStreamGetManifestResourceStreamFileStreamGetResponseStreamDeflateStreamMemoryStreamstreamProgramset_ItemSystemop_LessThanOpenMainAppDomainget_CurrentDomainget_VersionFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.Web.Script.SerializationSystem.Reflectionset_PositionWebExceptionPingCastleCommonStringComparisonRunCopyToget_CultureInfoDisplayHelpSystem.LinqStreamReaderTextReaderAssemblyLoadersenderServicePointManagerResolveEventHandlerPingCastleAutoUpdaterEnterJavaScriptSerializerset_ForegroundColorConsoleColorResetColorFilesValidatorIEnumeratorGetEnumerator.ctor.cctorMonitorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesget_EntriesresourceNamessymbolNamesassemblyNamesget_FlagsAssemblyNameFlagsResolveEventArgsargsEqualsSystem.Web.ExtensionsSystem.Collectionsget_assetsset_assetsExistsAddDaysget_published_atset_published_atConcatObjectSystem.NetAssetExitToLowerInvariantset_UserAgentEnvironmentget_CurrentCountHttpWebRequestFirstMoveNextSystem.TextReadAllTextWriteAllTextpreviewget_NownumberOfDaysToWayPingCastleAutoUpdater_ProcessedByFodyConta
Source:	Binary string: costura.costura.pdb.compressed source: PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: D:\a\1\s\PingCastleAutoUpdater\obj\release\PingCastleAutoUpdater.pdb source: PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: PingCastle.exe.6.dr, PingCastleAutoUpdater.exe.6.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed!pingcastlecommonOcostura.pingcastlecommon.dll.compressedOcostura.pingcastlecommon.pdb.compressedGsystem.diagnostics.diagnosticsourceucostura.system.diagnostics.diagnosticsource.dll.compressedlDd source: PingCastleAutoUpdater.exe.6.dr

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastleAutoUpdater.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastle.exe, type: DROPPED

Source: PingCastleAutoUpdater.exe.6.dr

Static PE information: section name: .text entropy: 7.526102532371397

Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastleAutoUpdater.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastle.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\license.rtf

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1100000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 1006			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 8992			Jump to behavior

Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastleAutoUpdater.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastle.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6944	Thread sleep count: 1006 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6944	Thread sleep time: -503000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6944	Thread sleep count: 8992 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6944	Thread sleep time: -4496000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 5_2_0103B1D6 GetSystemInfo,

5_2_0103B1D6

Source: cmd.exe, 00000008.00000002.2565401642.0000000003101000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: 7p}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C)6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp" "C:\Users\user\Downloads\PingCastle_3.3.0.1.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf"	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastle.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\PingCastleAutoUpdater.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://provisioning.microsoftonline.com/IProvisioningWebService/ListDomainsT	0%	Avira URL Cloud	safe
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-	0%	Avira URL Cloud	safe
https://outlook.office365.comChttps://login.microsoftonline.com/organizations/oauth2/nativeclient	0%	Avira URL Cloud	safe
https://crocs.fi.muni.cz/public/papers/rsa_ccs17	0%	Avira URL Cloud	safe
https://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lcr/mu04c.pdf	0%	Avira URL Cloud	safe
https://bootstrap-table.com/	0%	Avira URL Cloud	safe
https://blog.0patch.com/2021/11/micropatch-for-remote-code-execution-by.html	0%	Avira URL Cloud	safe
https://enterinit.com/powershell-enable-active-directory-recycle-bin	0%	Avira URL Cloud	safe
https://oxfordcomputergroup.com/resources/ldap-channel-binding-signing-requirements/	0%	Avira URL Cloud	safe
https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-R	0%	Avira URL Cloud	safe
https://www.romhack.io/slides/RomHack%202018%20-%20Andrea%20Pierini%20-%20whoami%20priv%20-%20show%2	0%	Avira URL Cloud	safe
http://provisioning.microsoftonline.com/IProvisioningWebService/GetCompanyDirSyncFeaturesResponsee	0%	Avira URL Cloud	safe
http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationx	0%	Avira URL Cloud	safe
https://adsecurity.org/?p=376	0%	Avira URL Cloud	safe
http://provisioning.microsoftonline.com/IProvisioningWebService/ListRolesResponse	0%	Avira URL Cloud	safe
https://dirteam.com/sander/2011/07/13/preventing-ous-and-containers-from-accidental-deletion/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationz	0%	Avira URL Cloud	safe
http://provisioning.microsoftonline.com/IProvisioningWebService/ListUsersT	0%	Avira URL Cloud	safe
https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-envi	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationr	0%	Avira URL Cloud	safe
https://talubu.wordpress.com/2018/02/28/configuring-unc-hardened-access-through-group-policy/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationo	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationu	0%	Avira URL Cloud	safe
https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022	0%	Avira URL Cloud	safe
https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-service	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationt	0%	Avira URL Cloud	safe
https://editor.swagger.io/?url=https://gist.githubusercontent.com/vletoux/c6c565c8af07b4df5df65ed01f	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServiced	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationk	0%	Avira URL Cloud	safe
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/	0%	Avira URL Cloud	safe
http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/	0%	Avira URL Cloud	safe
https://www.securityinsider-wavestone.com/2020/01/taking-over-windows-workstations-pxe-laps.html	0%	Avira URL Cloud	safe
https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServicet	0%	Avira URL Cloud	safe
https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServiceu	0%	Avira URL Cloud	safe
http://provisioning.microsoftonline.com/IProvisioningWebService/ListUsersByStrongAuthenticationT	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService~	0%	Avira URL Cloud	safe
https://adsecurity.org/?p=3466	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.AdministrationS	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Online.AdministrationN	0%	Avira URL Cloud	safe
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/	0%	Avira URL Cloud	safe
https://www.stigviewer.com/stig/active_directory_service_2003/2011-05-20/finding/	0%	Avira URL Cloud	safe
http://gary-nebbett.blogspot.com/2020/01/ldap-channel-binding.html	0%	Avira URL Cloud	safe
https://adsecurity.org/?p=2604	0%	Avira URL Cloud	safe
https://www.petri.com/active-directory-security-understanding-adminsdholder-object	0%	Avira URL Cloud	safe
https://syfuhs.net/lessons-in-disabling-rc4-in-active-directoryEThis	0%	Avira URL Cloud	safe
https://adsecurity.org/?p=3377	0%	Avira URL Cloud	safe
https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/	0%	Avira URL Cloud	safe
https://www.stigviewer.com/stig/windows_7/2012-08-22/finding/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
github.com	140.82.121.4	true	false	high
www.google.com	142.250.185.100	true	false	high
objects.githubusercontent.com	185.199.111.133	true	false	high
x1.i.lencr.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://access.redhat.com/articles/4661861	PingCastle.exe.6.dr	false		high
https://github.com/nsacyber/Pass-the-Hash-Guidance	PingCastle.exe.6.dr	false		high
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://github.com/netwrix/pingcastle/issues	PingCastle.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultT	PingCastle.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumeration/PullResponse	PingCastle.exe.6.dr	false		high
https://www.youtube.com/Netwrix)	Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	false		high
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory	PingCastle.exe.6.dr	false		high
https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html#vuln_	PingCastle.exe.6.dr	false		high
http://provisioning.microsoftonline.com/IProvisioningWebService/ListDomainsT	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.netwrix.com/social_communities.html)	Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	false		high
https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-R	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://crocs.fi.muni.cz/public/papers/rsa_ccs17	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://outlook.office365.comChttps://login.microsoftonline.com/organizations/oauth2/nativeclient	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/hybrid/connect/tshoo	PingCastle.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumeration/RenewResponse	PingCastle.exe.6.dr	false		high
https://oxfordcomputergroup.com/resources/ldap-channel-binding-signing-requirements/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://main.iam.ad.ext.azure.com/api/Directories/	PingCastle.exe.6.dr	false		high
https://blog.0patch.com/2021/11/micropatch-for-remote-code-execution-by.html	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://bootstrap-table.com/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://enterinit.com/powershell-enable-active-directory-recycle-bin	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://github.com/p0dalirius/Coercer	PingCastle.exe.6.dr	false		high
https://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lcr/mu04c.pdf	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://provisioning.microsoftonline.com/IProvisioningWebService/ListRolesResponse	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://provisioning.microsoftonline.com/IProvisioningWebService/GetCompanyDirSyncFeaturesResponsee	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/enumeration/GetStatusResponse	PingCastle.exe.6.dr	false		high
https://www.romhack.io/slides/RomHack%202018%20-%20Andrea%20Pierini%20-%20whoami%20priv%20-%20show%2	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://provisioningapi.microsoftonline.com/provisioningwebservice.svc%UserIdentityHeaderQhttp://pro	PingCastle.exe.6.dr	false		high
https://dirteam.com/sander/2011/07/13/preventing-ous-and-containers-from-accidental-deletion/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://sts.windows.net/3Exception	PingCastle.exe.6.dr	false		high
https://graph.windows.net	PingCastle.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumeration/EnumerateT	PingCastle.exe.6.dr	false		high
https://github.com/PSSecTools/Krbtgt	PingCastle.exe.6.dr	false		high
http://provisioning.microsoftonline.com/IProvisioningWebService/ListUsersT	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	PingCastle.exe.6.dr	false		high
https://adsecurity.org/?p=376	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationz	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationx	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://github.com/decoder-it/psgetsystem	PingCastle.exe.6.dr	false		high
https://github.com/lgandx/Responder-Windows	PingCastle.exe.6.dr	false		high
https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-envi	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/enumeration/EnumerateResponse	PingCastle.exe.6.dr	false		high
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationr	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://csrc.nist.gov/publications/detail/fips/186/5/draft	PingCastle.exe.6.dr	false		high
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationo	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://talubu.wordpress.com/2018/02/28/configuring-unc-hardened-access-through-group-policy/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationu	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationt	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/transfer/PutT	PingCastle.exe.6.dr	false		high
https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-service	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://editor.swagger.io/?url=https://gist.githubusercontent.com/vletoux/c6c565c8af07b4df5df65ed01f	PingCastle v3.0.0.pdf.6.dr	false	Avira URL Cloud: safe	unknown
https://medium.com/	PingCastle.exe.6.dr, changelog.txt.6.dr	false		high
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServiced	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administrationk	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://github.com/ANSSI-FR/AD-control-paths	PingCastle.exe.6.dr	false		high
https://www.securityinsider-wavestone.com/2020/01/taking-over-windows-workstations-pxe-laps.html	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/transfer5	PingCastle.exe.6.dr	false		high
https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServicet	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebServiceu	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://twitter.com/0gtweet/status/1303427935647531018?s=20	PingCastle.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/transfer/PutResponse	PingCastle.exe.6.dr	false		high
https://community.spiceworks.com/pages/NetWrix)	Active_Directory_Security_Self_Assessment_v1.4.pdf.6.dr	false		high
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorizeAhttps://login.microsoftonline.	PingCastle.exe.6.dr	false		high
https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://provisioning.microsoftonline.com/IProvisioningWebService/ListUsersByStrongAuthenticationT	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.cert.ssi.gouv.fr/information/	PingCastle.exe.6.dr	false		high
https://www.kb.cert.org/vuls/id/836068	PingCastle.exe.6.dr	false		high
http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration.WebService~	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.AdministrationS	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://adsecurity.org/?p=3466	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Online.AdministrationN	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1	PingCastle.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumeration	PingCastle.exe.6.dr	false		high
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://gary-nebbett.blogspot.com/2020/01/ldap-channel-binding.html	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.netwrix.com/support.html	PingCastle.exe.6.dr	false		high
https://datatables.net/)	PingCastle v3.0.0.pdf.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteT	PingCastle.exe.6.dr	false		high
https://api.github.com/repos/netwrix/pingcastle/releases	PingCastleAutoUpdater.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/transferT	PingCastle.exe.6.dr	false		high
https://graph.windows.net/	PingCastle.exe.6.dr	false		high
https://syfuhs.net/lessons-in-disabling-rc4-in-active-directoryEThis	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://attack.mitre.org/techniques/9Mitre	PingCastle.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumeration/GetStatusT	PingCastle.exe.6.dr	false		high
https://www.petri.com/active-directory-security-understanding-adminsdholder-object	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.11.dr	false		high
https://adsecurity.org/?p=3377	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://community.spiceworks.com/t/are-redirected-printers-a-security-risk/826344/27	PingCastle.exe.6.dr	false		high
https://adsecurity.org/?p=2604	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.stigviewer.com/stig/active_directory_service_2003/2011-05-20/finding/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.stigviewer.com/stig/windows_7/2012-08-22/finding/	PingCastle.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://github.com/BloodHoundAD/BloodHound	PingCastle.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateT	PingCastle.exe.6.dr	false		high
https://getbootstrap.com/)	PingCastle v3.0.0.pdf.6.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.100	www.google.com	United States	15169	GOOGLEUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false
185.199.111.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587408
Start date and time:	2025-01-10 10:53:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.rans.troj.evad.win@41/59@8/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.163, 142.250.184.238, 142.250.110.84, 142.250.184.206, 142.250.186.78, 199.232.214.172, 192.229.221.95, 2.23.240.205, 142.250.185.174, 50.16.47.176, 54.224.241.105, 18.213.11.84, 34.237.241.83, 2.16.168.107, 2.16.168.105, 162.159.61.3, 172.64.41.3, 142.250.181.238, 23.209.209.135, 142.250.186.46, 142.250.185.110, 172.217.16.195, 142.250.186.142, 172.217.16.206, 2.23.242.162, 20.12.23.50, 104.77.220.172, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, clientservices.googleapis.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, update.googleapis.com, clients.l.google.com, geo2.adobe.com, crl.root-x1.letsencrypt.org.edgekey.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip

Simulations

Behavior and APIs

Time	Type	Description
04:54:59	API Interceptor	1x Sleep call for process: AcroCEF.exe modified
04:55:19	API Interceptor	15997x Sleep call for process: unarchiver.exe modified

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.261912772529715
Encrypted:	false
SSDEEP:	6:iO4oRKSyMq2Pwkn2nKuAl9OmbnIFUtSoRKSXjZZmwsoRKSXjzkwOwkn2nKuAl9Oe:7vHyMvYfHAahFUtRHN/7H/5JfHAaSJ
MD5:	EC6FE04A6B853A8CC1D9E132DD6FD8BB
SHA1:	273ACD55A7A2083B9CA5349D29F13F2B8336ECEC
SHA-256:	0F9FBD5348F994EFECD30FF6D094B85D6F6DAD44506A2A0BCED146CC54D96BD8
SHA-512:	75B2D5B25A304717C5C29A0B45D5C0ECCC35AE393E00EF7813AA9E1F732045A405E33193C052731869144697FFA35E53B42DBBE7197CEE678030D448A4344673
Malicious:	false
Reputation:	low
Preview:	2025/01/10-04:54:46.779 1934 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/10-04:54:46.781 1934 Recovering log #3.2025/01/10-04:54:46.781 1934 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	2803867
Entropy (8bit):	7.932015097296447
Encrypted:	false
SSDEEP:	49152:WG9z3ohyZ218Stk+FH3nLpm6K+I97/Y0LEMOvMAeQIlDJB/F3:WCzsW2mwk4H3nLMD97/RLEM+kQIF3
MD5:	870B825A7657DACE55AD4A4A78169899
SHA1:	9D92DCB9165646D59A6E1E5E6A65C37648362115
SHA-256:	D19CDFBAA10106C0245CC9517714C353A0BC40A26BB6640EB8B022AAF9BD2007
SHA-512:	3A58E0AAA685F813BF3025487BF7D5320E635773CCC1964D57BA86BC3579F2CFE1D1F7FF57438FBEED37FEE83343F6BBCA01DAC54BC67EAB7BB47AA9EF62C78F
Malicious:	false
Reputation:	low
Preview:	%PDF-1.7.%......174 0 obj.<</Linearized 1/L 2803867/O 176/E 1646921/N 16/T 2800266/H [ 616 1108]>>.endobj. ..xref..174 16..0000000016 00000 n..0000001724 00000 n..0000001855 00000 n..0000002877 00000 n..0000002991 00000 n..0000003326 00000 n..0000003363 00000 n..0000003811 00000 n..0000004068 00000 n..0000004560 00000 n..0000006497 00000 n..0000009147 00000 n..0000018501 00000 n..0000048746 00000 n..0000048785 00000 n..0000000616 00000 n..trailer..<</Size 190/Root 175 0 R/Info 173 0 R/ID[<26B8313D07E39E439DD1E3935C32E232><E7CE2211823CC540BEAF109AC30B433A>]/Prev 2800254>>..startxref..0..%%EOF.. ..189 0 obj.<</Filter/FlateDecode/I 1278/Length 1009/O 1262/S 994/T 1198>>stream..h.b```....l..l..... ..cg`a..i<.`..!....~b.GEh...........Z../...0.9.4....;{.D.....^<;..n...Y.....0...+.....e...S%.d<..N..;P..$&...JeU..2....v$..N..m...r:..).k..7sK^....m#...7.w.t.1px..`.<..I......<.b.Nm.+.~.-mQY\|u.........A.....e..+..tni.B..v.u..l1.P)........t..)VO...r{.H....2...p.....p

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	5.1903279434330205
Encrypted:	false
SSDEEP:	48:xp2pN3pyG4pyGb4pyG4pyGpKpyG5WuzpyG4pyGpfpyGbupyGSpyGwpyG4pyG4pyB:AMntn
MD5:	423109B325E3EAACF78700EBF535CAB5
SHA1:	3F523BCF4A1678861E652E8F2B108CC2751267AA
SHA-256:	BD5CE0010DB1FE4CD471BF7880C96EB3B166B96C59102249A6E86C931ED49BDD
SHA-512:	C3C1144A02DD618197DE5E000E9612BDCB911851D48EB59BD23BD6392C7076A6496D4A0EC152BAABE7635A0D895E8015F23C9072CD11A054323D9F521A47D04E
Malicious:	false
Reputation:	low
Preview:	01/10/2025 4:54 AM: Unpack: C:\Users\user\Downloads\PingCastle_3.3.0.1.zip..01/10/2025 4:54 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp..01/10/2025 4:54 AM: Received from standard out: ..01/10/2025 4:54 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..01/10/2025 4:54 AM: Received from standard out: ..01/10/2025 4:54 AM: Received from standard out: Scanning the drive for archives:..01/10/2025 4:54 AM: Received from standard out: 1 file, 5479682 bytes (5352 KiB)..01/10/2025 4:54 AM: Received from standard out: ..01/10/2025 4:54 AM: Received from standard out: Extracting archive: C:\Users\user\Downloads\PingCastle_3.3.0.1.zip..01/10/2025 4:54 AM: Received from standard out: --..01/10/2025 4:54 AM: Received from standard out: Path = C:\Users\user\Downloads\PingCastle_3.3.0.1.zip..01/10/2025 4:54 AM: Received from standard out: Type = zip..01/10/2025 4:54 AM: Received from standard out: Physical Size = 5479682..01/10/20

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	13780
Entropy (8bit):	7.98648541539224
Encrypted:	false
SSDEEP:	384:D1FjjaVWNTeymaL32N/SZgG9ZTjs/rh4H:HyVTyjyNaCG9ZTjShA
MD5:	5571C841166DEC66B22C52CE7A1DE489
SHA1:	B494E10231F44B5F2EFD23DF23543355CE88CF13
SHA-256:	F5A28330BBC7302C169572143C9FCBE1DEA7672A3CE8DFBD9751CC1DDB5B3CC9
SHA-512:	C0702D9988B22045EF4D7852AB1448106A7ADBCC89ECAD9ED9AD37A7BE0AA4B592DF601178B11DB5CB584F16444EB510F9948DBC2287E9B4C8EC3800FCD97B24
Malicious:	false
Reputation:	low
Preview:	PK..........9Y....4..........changelog.txt.[]s.6...L...3.#.X.e;M.s.JI.....v;sn.@$$!&.......@B..^$.H\|,...>...'......./.Z.....}...V9%\W+x ......NU...5.,.\|.r.Ui....I..3.;..{..0...\|.3...n....5.RA.A.8..^...ccY}.<N..,...x..;#W........V..i7<Q0...-<.gb.]j......K..........u...F..o.v-./.{.Z.Fj3..m....t./..+.D.I%...B...Zk..]?S.._..k.l.f...J7.....U..p...v..Kg.+..z[...#..Y...%...P_K.J=..t_...O.._[g[..N4~.(.e..F.x.?:.$t.b.`..j.#....M.J..F......`.'i.)N.7..l..94R.....i......:#..l...6:l....Z. {k...Q..mT.a.&...x.u].N.....-...4.T^...hHr.{..xn...V...w...d...E../m.....).6!.h4............Q..bm..],.}..v.$.8.~w'.;.'..z...]M.L...-.9.U...Xa..g....\..WC.~\|.m...^.$....UvN.........z1......~P...k..R...w.._.h.....f.[!.Yr.C.....W...4(...D..H...k..6"l........YK.z.w.....o......\|.\a...`+...pe..i1[...h....,W.8.u..q.S.FZ.....7..4q1.)./..V../../.%....t.2.}.I...W...'?.s..,...1IT(&.......5.4"...SQo.wmk..(`.'....)..%...`...0....f.`q..w.........i:......eMM.t...@%p.\...n...s.....

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 10:54:32.439027071 CET	53	54832	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:32.718605042 CET	53	52754	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:33.854044914 CET	53	61911	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:35.999783993 CET	52471	53	192.168.2.4	1.1.1.1
Jan 10, 2025 10:54:35.999912024 CET	54406	53	192.168.2.4	1.1.1.1
Jan 10, 2025 10:54:36.006603003 CET	53	54406	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:36.006880999 CET	53	52471	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:38.481448889 CET	60138	53	192.168.2.4	1.1.1.1
Jan 10, 2025 10:54:38.481803894 CET	59493	53	192.168.2.4	1.1.1.1
Jan 10, 2025 10:54:38.488141060 CET	53	60138	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:38.488533020 CET	53	59493	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:39.555864096 CET	55036	53	192.168.2.4	1.1.1.1
Jan 10, 2025 10:54:39.556338072 CET	52067	53	192.168.2.4	1.1.1.1
Jan 10, 2025 10:54:39.562592983 CET	53	55036	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:39.563689947 CET	53	52067	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:46.097372055 CET	138	138	192.168.2.4	192.168.2.255
Jan 10, 2025 10:54:50.888336897 CET	53	50009	1.1.1.1	192.168.2.4
Jan 10, 2025 10:54:59.394174099 CET	49902	53	192.168.2.4	1.1.1.1
Jan 10, 2025 10:55:09.662484884 CET	53	53139	1.1.1.1	192.168.2.4
Jan 10, 2025 10:55:16.202289104 CET	55538	53	192.168.2.4	1.1.1.1
Jan 10, 2025 10:55:31.978921890 CET	53	57647	1.1.1.1	192.168.2.4
Jan 10, 2025 10:55:32.304838896 CET	53	51448	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2025-01-10 09:54:39 UTC	720	OUT	GET /netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip HTTP/1.1 Host: github.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-10 09:54:39 UTC	969	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Fri, 10 Jan 2025 09:54:39 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/146924413/3bc39ae0-06ab-46ba-9145-597f72315fc8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250110T095439Z&X-Amz-Expires=300&X-Amz-Signature=7baf7e0309ddde41fc38b6583aff69974df729cb65205dc720c7b02c0841e8d5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPingCastle_3.3.0.1.zip&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-01-10 09:54:39 UTC	3382	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Timestamp	Bytes transferred	Direction	Data
2025-01-10 09:54:40 UTC	1153	OUT	GET /github-production-release-asset-2e65be/146924413/3bc39ae0-06ab-46ba-9145-597f72315fc8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250110T095439Z&X-Amz-Expires=300&X-Amz-Signature=7baf7e0309ddde41fc38b6583aff69974df729cb65205dc720c7b02c0841e8d5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPingCastle_3.3.0.1.zip&response-content-type=application%2Foctet-stream HTTP/1.1 Host: objects.githubusercontent.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-10 09:54:40 UTC	807	IN	HTTP/1.1 200 OK Connection: close Content-Length: 5479682 Content-Type: application/octet-stream Last-Modified: Wed, 25 Sep 2024 19:16:08 GMT ETag: "0x8DCDD968282CA05" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: 48c347df-601e-005e-2e75-550ab5000000 x-ms-version: 2024-11-04 x-ms-creation-time: Wed, 25 Sep 2024 19:16:08 GMT x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=PingCastle_3.3.0.1.zip x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 0 Date: Fri, 10 Jan 2025 09:54:40 GMT X-Served-By: cache-iad-kjyo7100168-IAD, cache-ewr-kewr1740068-EWR X-Cache: HIT, HIT X-Cache-Hits: 1683, 0 X-Timer: S1736502880.119360,VS0,VE12
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 f7 a9 39 59 01 0a c8 c2 81 34 00 00 bd 93 00 00 0d 00 00 00 63 68 61 6e 67 65 6c 6f 67 2e 74 78 74 84 5b 5d 73 db 36 b3 be ef 4c fe 03 c6 33 a7 23 e7 58 8a 65 3b 4d da 99 73 a1 4a 49 93 b7 89 ad 9a 76 3b 73 6e ce 40 24 24 21 26 01 16 00 ed a8 bf fe ec 07 40 42 96 92 5e 24 96 48 7c 2c 16 bb cf 3e bb 80 2e 27 97 93 f3 c9 f4 c5 0f 2f c5 5a 7f 15 d2 08 ed 7d a7 c4 d3 56 39 25 5c 57 2b 78 20 8c 0d a2 d2 be ad e5 4e 55 f8 0e 9a 35 ad 2c 03 7c eb bc 72 fe 55 69 9b b6 0b f0 49 94 b6 33 01 3b d5 ca 7b 11 b6 30 e4 f4 fc 7c 82 33 bc 87 19 6e 0a f1 08 cd b4 35 a2 52 41 95 41 db 38 e7 8b 1f 5e fc c0 e2 9c 63 63 59 7d e9 3c 4e 10 b6 2c 88 17 c5 78 a1 fc 3b 23 57 b5 aa ce e0 db f2 a9 ba b6 e1 56 fd dd 69 37 3c 51 30 fe bb af 2d 3c f2 67 62 Data Ascii: PK9Y4changelog.txt[]s6L3#Xe;MsJIv;sn@$$!&@B^$H\|,>.'/Z}V9%\W+x NU5,\|rUiI3;{0\|3n5RAA8^ccY}<N,x;#WVi7<Q0-<gb
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: 57 8c 58 40 14 ce b3 f7 cf 6b 0d 42 41 08 71 2a f4 f4 51 ad 61 55 15 69 1a 3d 56 76 20 94 09 11 b7 53 64 c9 a9 28 68 75 e3 62 e8 24 f4 9c 2d 6e d5 06 d8 95 a3 2e 84 28 20 a1 6e 51 35 6a 9f c2 00 a9 7b 04 c5 83 3d 6d e5 a3 62 1e 13 25 38 43 74 ac 3b b2 80 77 68 56 d6 20 69 7b 50 62 83 14 30 21 fe 31 4a 14 97 f2 8f 72 76 10 f8 7c d8 29 49 6c c7 03 47 32 ca 25 9b 1a b5 bb b0 b5 26 92 20 c7 53 c5 ad 5e 75 81 6c 0e 59 81 fa da d6 56 63 a8 3a 25 19 c6 63 ff a0 db 71 55 8e 5d 5b 46 b6 89 ae 07 f6 a0 3d 4d 72 d4 0d 16 f3 f1 9c e9 56 23 03 2e 61 43 6f 73 c1 60 36 d8 69 ec 9d 60 b3 18 df d4 d5 75 a8 1b 9a f9 40 d3 30 79 90 0f 14 31 12 c2 20 d1 41 b3 79 72 24 32 86 17 fc 1b 29 c2 74 f2 9a f5 a2 be a2 aa 55 72 69 61 57 5f 20 2a 81 67 33 49 aa ad 7d f0 ac 91 de fc 22 Data Ascii: WX@kBAqQaUi=Vv Sd(hub$-n.( nQ5j{=mb%8Ct;whV i{Pb0!1Jrv\|)IlG2%& S^ulYVc:%cqU][F=MrV#.aCos`6i`u@0y1 Ayr$2)tUriaW_ g3I}"
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: c4 b0 d9 8f 70 ff c8 28 50 9e d3 24 50 da 18 0a 2c 8d de 38 82 50 14 7b 62 20 cd bb c4 76 f4 e9 6a f2 1a 9b b0 dc 14 d3 87 62 db bc b6 5d 85 25 1f a4 57 69 21 11 4d e6 ca 85 77 c6 41 8c 9b b3 19 a7 34 9e 73 05 94 2a 7a 0a 3e 4c 45 a5 f9 af e8 0f b1 2a 91 46 a4 4a 73 0d d0 2a 18 68 3a 47 85 05 7a 82 26 8e 66 84 5f b2 78 c6 a4 a5 3f fc 30 34 46 2a 52 0c 7b a0 0d 15 06 fb fd 81 d8 c1 76 52 61 a6 1f 58 b6 78 9c f1 32 05 6c a4 4f ac 71 84 0f 6a 9c 18 9c 0e 5c 9d 2b cb 66 9f d6 0c 5a c6 fd fc 8e 9e 0f e0 26 f1 ac 59 32 0b 9c e0 f0 f1 62 9e 16 f1 a8 7b ce 04 53 81 57 88 7f ac 19 08 32 17 7b 16 73 b6 89 11 ea 8e aa 8d 74 40 b2 30 9e 5a f7 5e fe e1 ee 6e 29 e6 5c 46 05 c9 ef 14 e5 5d a8 c4 eb bb 4f 9f 79 8c 27 b5 f2 3a 60 c1 1d 72 34 8e b5 d7 6a 63 03 56 ac 32 67 Data Ascii: p(P$P,8P{b vjb]%Wi!MwA4sz>LEFJsh:Gz&f_x?04FR{vRaXx2lOqj\+fZ&Y2b{SW2{st@0Z^n)\F]Oy':`r4jcV2g
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: 38 ab 8c c7 47 7d 01 4a af bf 73 a7 89 dc ce c4 03 bc e3 87 67 7f a9 15 1f 5f f6 91 1c d5 31 3c 4d 87 de d9 39 38 6f 73 ba 21 50 47 93 01 46 a8 d7 6a ef 3c 88 68 44 55 89 0f e8 0a cb c1 15 22 85 4f 5b 9f f9 a6 7a 94 75 17 0d c0 55 91 da bc 4b b4 c6 ef c0 74 1a 40 99 47 8f e1 1d a3 fb 9b d3 84 fb 55 57 a2 99 de 14 c2 80 07 61 0a 0b 93 23 fb 71 e1 39 c7 22 51 77 99 4d 79 01 7f b7 c4 29 7e 89 79 2d 25 0f 8a 43 e4 e1 82 69 43 19 32 d0 b6 a3 b5 52 dd 88 06 c4 a4 25 e8 40 f3 11 b1 39 9f 4c 63 45 1c 16 b4 c1 2b 32 51 a3 98 bb 9c 0d 15 3f f4 c0 a8 a5 38 5d 7e 0a cb f1 6e b5 7f c5 2d 5e 8e e0 bd 01 80 99 67 29 e5 f3 8a 1d ce 3e 54 83 e2 6d 3f 82 a3 12 03 1a 61 e1 f6 19 27 ed e5 4f c4 2c 5d 74 92 15 03 89 73 d6 0d e7 7d 1c 4f bf 36 35 5d 05 40 e9 91 00 77 6d 50 d5 Data Ascii: 8G}Jsg_1<M98os!PGFj<hDU"O[zuUKt@GUWa#q9"QwMy)~y-%CiC2R%@9LcE+2Q?8]~n-^g)>Tm?a'O,]ts}O65]@wmP
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: 24 c3 c0 c9 86 7a d3 77 ce 82 b3 92 e3 75 d7 70 d1 29 5d 0e 4c 71 10 b0 09 c8 1e 6f 64 9f a6 76 10 52 fa 09 c8 0b 3c 84 91 72 1b b9 20 65 16 60 f3 e9 36 a1 18 f1 6d cf 44 59 a2 da 89 92 a4 6b f7 fb 6a fb 5c 88 f7 b3 3f 68 20 be fb 8e 57 34 55 48 e6 3d 1b a7 a7 a8 de 5a 9b 87 ac f2 6a b2 df db 64 0c b1 28 3e 25 d6 43 c5 76 b0 d6 13 df f9 96 ca 3d 27 5c 91 32 2a d0 35 be 4a a1 2d a6 21 b9 7c 43 65 63 99 0a ca 9a 7e c7 10 76 67 28 e3 13 96 df 02 df 42 83 cd b2 91 2f 04 fb c0 57 a9 30 ae 87 2d 66 89 1e f2 b3 ce 90 4f ac 38 31 89 8c 2e 1c bf 10 93 55 4f 36 94 1d ef 95 53 96 9d 03 8e a7 ce 0e 8a 2c f9 93 39 09 5c 74 64 24 28 ed 71 d2 36 9c 78 92 04 9f 75 00 05 cd 42 f8 11 bc aa 01 21 d9 4f bf 17 4b 87 1f d8 cd 86 0b de e9 08 69 bd 7f ff a8 3f a7 69 01 2a 82 c1 Data Ascii: $zwup)]LqodvR<r e`6mDYkj\?h W4UH=Zjd(>%Cv='\25J-!\|Cec~vg(B/W0-fO81.UO6S,9\td$(q6xuB!OKi?i
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: 24 77 99 bd 34 c8 f4 28 d6 0e 31 31 4d 14 fb dd 4c 86 de 3d 40 1e ab cd d0 09 a7 07 b7 28 87 8b 7c ea 04 46 35 6f dc 1b 2c 68 40 49 8f a3 b4 24 7d d9 64 23 93 63 5f f5 ca 91 65 42 b2 f6 a9 fd f7 d0 59 20 65 48 2b 9d ed 8d 69 5f 25 6a 9f 8c cf 9a a7 b0 a5 cb 3c ec 9f e0 7d d0 ef df 40 f7 cb 3c b8 4f e9 5f ca 85 9a 79 10 a3 ff 29 35 29 59 02 d2 b0 d3 55 5a 3f 00 50 01 31 e3 64 bb 24 5c 5f dc b7 c7 2b 78 6e a6 41 81 a5 f5 23 a6 d1 8b 36 88 6f 76 eb 32 f5 1f 76 00 5f 88 82 7d ca 1b 4e e8 10 2b 41 4f a7 62 55 d9 68 a5 9b ad 9f 1a 49 29 a1 45 36 55 20 a0 04 a5 49 51 5a bf f7 08 89 fe df 00 b6 3b 1d 2e 1e 3b d6 2b 02 67 18 ca 2c f2 54 52 4a 9d 12 ab ce 7f 17 42 f5 e6 65 c4 ba d4 c0 4e de a2 29 9c 9f 8e 11 ff fd 16 43 8f 3a 6c b6 94 de 98 b3 4d 46 ce e6 52 16 00 Data Ascii: $w4(11ML=@(\|F5o,h@I$}d#c_eBY eH+i_%j<}@<O_y)5)YUZ?P1d$\_+xnA#6ov2v_}N+AObUhI)E6U IQZ;.;+g,TRJBeN)C:lMFR
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: 01 0b c8 3f a3 a4 5d fc c6 f4 e3 67 ba ce 51 04 8d 90 88 48 7d a2 f8 49 b7 c8 ae 9c 29 3d 66 82 22 83 6f b1 d5 db 7a cd e7 f0 0c 5e c9 83 93 24 30 da d9 3c 01 d1 9e db 6b 41 0b 6c d4 22 b5 9a 4a 89 52 b5 5f 22 9d 12 52 42 dc e3 f1 75 dc a2 5f a6 2b ad c7 87 e5 ec 11 65 78 be 37 fa cb d7 db 33 fa ed e8 a4 53 d0 28 2e ea 43 dc b6 fa 58 1f 86 ad 32 92 11 92 46 30 57 4b 27 72 1e 28 fc 48 d1 9e cb 31 d9 d9 27 ad 74 8f 06 f4 50 d4 ad 24 ac a4 a1 14 d7 ad 5f 00 45 e0 3c a1 82 2c 16 c3 5c e2 cc c1 3b 4a 1d bc fb d7 b0 de 21 1b be ab 14 f9 3e 63 86 16 b5 dc 6a 18 36 db 3d a2 4b 54 2f ea 84 c3 ef 00 5e 9f 97 5c 4a e1 12 11 61 5e b4 1d 77 6d 11 90 46 02 b3 f2 58 82 e7 7c fb 5d 33 60 20 28 c2 92 48 a9 01 8e 7c bb 17 7a 77 68 36 6e f4 d2 fa ca 9d 0a 42 5f aa 4f 32 57 Data Ascii: ?]gQH}I)=f"oz^$0<kAl"JR_"RBu_+ex73S(.CX2F0WK'r(H1'tP$_E<,\;J!>cj6=KT/^\Ja^wmFX\|]3` (H\|zwh6nB_O2W
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: bb 26 bf 9f 9e 5d 9c fd 4a 57 f7 b5 ef 56 45 6d d5 91 0b b7 4a dd 22 42 88 52 74 d1 43 5e 4c e0 84 b8 ad fd d4 2e 6a 45 a2 4f 4a c2 d0 4f 69 59 62 a7 d1 5a 55 28 02 c4 5f ab 30 14 d7 d2 67 0c 63 3b d6 a5 f0 11 63 73 13 1f 81 12 17 7b 25 7f 9e bd ce 8d 7f 26 15 e0 20 a2 ce ea 69 bc 9a f4 e6 36 35 36 6d b4 04 cb 2e 75 96 97 a7 27 db d5 37 f3 39 97 cc 9f 54 b3 0d 24 b8 68 4f ac 9a ee bd 73 33 b8 cd a6 9b 69 91 7d 6e 07 bf f0 88 dc 4b 70 53 7c 36 2a ce 2f 84 5a 4a 3f ee b0 c7 6c a6 84 1d a5 b3 97 cb b4 7e 8c de 35 76 a1 b6 48 6e e8 47 00 e9 28 37 8e 9a a2 6c 03 fd 66 97 a7 15 e0 6e d7 04 e0 da 8a 61 e9 48 a2 87 7c e7 92 9c 89 4b 7e 42 9e ed ef 9a 3e 24 ed 36 97 4e 99 99 7a a2 51 a7 90 e3 4c c1 4d 9d 9b 50 31 38 5e b2 7d 1b 62 35 fb a0 2b a3 66 c8 a1 e8 94 74 Data Ascii: &]JWVEmJ"BRtC^L.jEOJOiYbZU(_0gc;cs{%& i656m.u'79T$hOs3i}nKpS\|6*/ZJ?l~5vHnG(7lfnaH\|K~B>$6NzQLMP18^}b5+ft
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: 66 b4 f1 31 ef 1f 3a df b1 9b b9 e5 e5 ea 63 52 0b 48 3c 7c 09 fc c7 bf 65 4a d0 6f f8 2d 7f ca 36 1d 60 92 49 75 7f bf ae ed 29 73 ef d5 c7 a7 5f c5 8d 46 01 2a ed e2 5a 33 04 67 8b 65 b3 b1 2e 59 16 8e a2 f3 8b 92 96 b5 95 20 9c d8 a4 bc 87 cf 35 24 19 9a fa 8d 01 39 57 05 84 df d6 cc 55 ce 6e 82 11 6d 69 72 b0 1e 4b 71 7f e1 2b 75 10 54 a5 f5 ad 9c fc ae d6 d1 8c 4f 61 85 68 6d 2b 7c b3 e5 90 ca 02 f7 20 6f aa 74 8b bc d2 27 73 c6 12 b3 2a 3c 13 e7 b5 4a 66 29 68 4b 88 65 62 f0 ee b7 52 38 83 01 a5 55 06 38 36 04 d4 29 54 0c 32 85 95 20 96 49 92 89 bd 09 bd 62 a0 54 be 2a 95 fb f6 24 6a 3b 60 c4 3d 06 11 c3 5c 22 0d 6e e3 f3 78 19 4e e6 34 4c 73 51 3d 3f 26 d1 c8 2f 48 06 e4 fb b7 ef bd ef c3 90 e5 60 35 b8 45 b1 e4 b3 a8 2c f7 d9 9b 4c b7 b4 8d c9 bd Data Ascii: f1:cRH<\|eJo-6`Iu)s_FZ3ge.Y 5$9WUnmirKq+uTOahm+\| ot's<Jf)hKebR8U86)T2 IbT*$j;`=\"nxN4LsQ=?&/H`5E,L
2025-01-10 09:54:40 UTC	1378	IN	Data Raw: 2f 93 8f b3 e9 c7 b7 61 6a 0f b7 ca 07 6f af 1b 41 c9 d8 b3 4b 79 ac 4e aa 2e 71 d8 81 3d f7 63 87 fb 85 96 79 8d a6 4b fa 5e 8f 3e 90 f9 f9 ab fb 24 94 be c9 a3 93 2d 7e d0 d2 2d 4c 03 0f 45 d6 1a 9d 78 4d 53 ed 98 11 60 6a 70 0f 06 0c a6 1e 3c 4c 07 b4 6b a3 e6 b7 0c b0 60 f1 b3 6d 77 7a c2 d8 93 1e 61 2b c8 76 5a e3 c4 51 8a 08 72 69 c9 7e 5c b3 a2 8f e5 6e 8b 6f 97 28 3b 53 33 37 45 87 19 d0 e8 68 e8 72 7c 74 3c 38 7c ff 91 1c 60 e9 03 86 fa 2b 73 1a 45 4c 35 98 64 7c 18 32 1f fe 1d 55 29 45 83 a6 66 38 cf 46 8b d4 4c bf 4d f9 44 af a7 ac 9d 79 6a 55 8e 26 47 d6 27 68 9e d2 95 cf 87 00 71 5b ef f8 5e ba d4 e4 0c 61 bf d4 a8 b5 3f dd 9c ef fa cc 80 15 60 c6 c3 7a c0 2b 51 30 6f 30 a8 17 cd b2 29 ea ad b5 4b 9a 3e 3a 79 24 60 7d 14 13 ab e4 7c 63 a8 9a Data Ascii: /ajoAKyN.q=cyK^>$-~-LExMS`jp<Lk`mwza+vZQri~\no(;S37Ehr\|t<8\|`+sEL5d\|2U)Ef8FLMDyjU&G'hq[^a?`z+Q0o0)K>:y$`}\|c

Target ID:	0
Start time:	04:54:28
Start date:	10/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	04:54:30
Start date:	10/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2476,i,8198650963386273841,13647284136402883920,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	04:54:37
Start date:	10/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	04:54:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\PingCastle_3.3.0.1.zip"
Imagebase:	0x730000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	8
Start time:	04:54:45
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hqqkbpyi.fzp\Active_Directory_Security_Self_Assessment_v1.4.pdf"
Imagebase:	0x800000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	11
Start time:	04:54:46
Start date:	10/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7124

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7124

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Windows Analysis Report
https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre